W32/Blaxe-A

Discussion in 'malware problems & news' started by FanJ, Sep 10, 2003.

Thread Status:
Not open for further replies.
  1. FanJ

    FanJ Guest

    W32/Blaxe-A

    Aliases
    Worm.P2P.Blaxe, Win32/Lablan.A, W32.HLLW.Blaxe, WORM_BLAXE.A

    Type
    Win32 worm

    Description
    W32/Blaxe-A is a worm which spreads via file sharing on P2P networks.

    When first run W32/Blaxe-A copies itself to the Windows folder as BearShare.exe and WinBat.exe and creates the following registry entries so that BearShare.exe is run automatically each time Windows is started:

    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\BearShare
    = %WINDOWS%BearShare.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\BearShare
    = %WINDOWS%\BearShare.exe

    W32/Blaxe-A adds the pathname of WinBat.exe to the following registry entry so that WinBat.exe is run each time a MS-DOS batch file is run or opened:

    HKLM\Software\CLASSES\batfile\shell\open\command

    W32/Blaxe-A creates a sub-folder of the Windows folder named \Kernell\, with the Hidden attribute set, and copies itself to this folder using filenames such as:


    Read more:
    http://www.sophos.com/virusinfo/analyses/w32blaxea.html
     
Thread Status:
Not open for further replies.