Aliases: W32/Antinny.gen!p2p, WORM_ANTINNY.AF
Variants: W32/Antinny-P, Worm.Win32.Antinny.af, W32.HLLW.Antinny.G

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 28 Jan 2006
Damage: Medium

Characteristics: The WinNY P2P file sharing network is specifically targeted by this malware and takes advantage of the file exchange done by its users to deliver its payload. The W32.Antinny.AX program has been observed to steal information from the infected machine as well as initiate Denial of Service attacks on different websites.

More details about W32.Antinny.AX

The data theft functionality of this Peer to Peer Worm is done by examining the contents of files using the TXT, DOC, DBX, PDF, XLS, and PPT file extensions. Consistent with the characteristics of most data thief malware variants, the W32.Antinny.AX program also takes periodic screenshots of the user's desktop. The taken image is stored using Japanese text filenames in its own subfolder under the TEMP folder of the Windows directory. The file sharing folder of the WinNY application is searched by this malware to look for the presence of the Download.txt, tab1.txt, tab2.txt, and kakikomi.txt files among others. The Favorites, Recent, and Local Settings folders of the User's Profile directory are also scanned by the W32.Antinny.AX to search for other possible stored sensitive data. It drops a Trojan Horse executable file using the sttemp.exe filename in the TEMP directory. The files ms[RANDOM].exe and winsm.exe are also extracted into the System folder of the Windows directory.

The W32.Antinny.AX program creates its own service by adding the WindowsSecurityManager entry into the system's Windows Registry keys. In order to further its infection, this malware will attempt to terminate the Windows Task Manager, Process Explorer, and ProcessWalker tools of the Windows Operating System. According to some antivirus developers, only the Windows Task Manager of the Japanese version of the Microsoft Windows environment can be successfully terminated by this malware. It is presumed that these system tools are targeted by the malware to prevent the computer user from directly terminating its background processes.