W32/Blaxe-A

Discussion in 'malware problems & news' started by FanJ, Sep 10, 2003.

Thread Status:
Not open for further replies.
  1. FanJ

    FanJ Guest

    W32/Blaxe-A

    Aliases
    Worm.P2P.Blaxe, Win32/Lablan.A, W32.HLLW.Blaxe, WORM_BLAXE.A

    Type
    Win32 worm

    Description
    W32/Blaxe-A is a worm which spreads via file sharing on P2P networks.

    When first run W32/Blaxe-A copies itself to the Windows folder as BearShare.exe and WinBat.exe and creates the following registry entries so that BearShare.exe is run automatically each time Windows is started:

    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\BearShare
    = %WINDOWS%BearShare.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\BearShare
    = %WINDOWS%\BearShare.exe

    W32/Blaxe-A adds the pathname of WinBat.exe to the following registry entry so that WinBat.exe is run each time a MS-DOS batch file is run or opened:

    HKLM\Software\CLASSES\batfile\shell\open\command

    W32/Blaxe-A creates a sub-folder of the Windows folder named \Kernell\, with the Hidden attribute set, and copies itself to this folder using filenames such as:


    Read more:
    http://www.sophos.com/virusinfo/analyses/w32blaxea.html
     
    FanJ, Sep 10, 2003
    #1
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...