W32.Sillyban.A


Aliases: N/A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Europe
Removal: Easy
Platform: W32
Discovered: 19 Oct 2007
Damage: Low

Characteristics: The W32.Sillyban.A program is a worm that multiplies by duplicating itself to mapped drives.

More details about W32.Sillyban.A

The W32.Sillyban.A program is a worm that multiplies by duplicating itself to fixed drives. When the worm runs, it makes “C:\heap41\2.mp3”, “C:\heap41\autorun.inf”, “C:\heap41\drivelist.txt”, “C:\heap41\Icon.ico”, “C:\heap41\reproduce.txt”, “C:\heap41\script1.txt”, “C:\heap41\svchost.exe”, “C:\heap41\std.txt”, “C:\heap41\offspring\autorun.inf”, “%Temp%\MicrosoftPowerPoint\2.mp3”, “%Temp%\MicrosoftPowerPoint\drivelist.txt”, “%Temp%\MicrosoftPowerPoint\Icon.ico”, “%Temp%\MicrosoftPowerPoint\Install.txt”, “%Temp%\MicrosoftPowerPoint\pathlist.txt”, “%Temp%\MicrosoftPowerPoint\svchost.exe”, and “%UserProfile%\Start Menu\Programs\Startup\.lnk” files. Then, it makes registry entries so that it opens whenever your Windows opens. The W32.Sillyban.A program duplicates itself to all detachable drives as “%DriveLetter%\reproduce.txt”. It also duplicates the “%DriveLetter%\autorun.inf” file so that it opens whenever the drive is opened. The W32.Sillyban.A program observes the title of the active window for the “orkut” and “youtube” strings.

The worm shows this message “[STRING] is BANNED you fool, The adminstrators didn't write this program guess who did??”, if the strings above are located. The W32.Sillyban.A observes the title of the active window for the “Mozilla Firefox” string. The worm shows this message “USE INTERNET EXPLORER YOU DOPE, I DNT HATE MOZILLA BUT USE IE OR ELSE...” if the string above is found. The W32.Sillyban.A program also shuts down the active window and then plays the “c:\heap41\2.mp3” audio file.