gphone.exe a.k.a [W32.Imaut.E, Worm.Win32.AutoIt.ch]
Written by pnyet   
Page 1 of 5
Hari ini saya mendapat pasien dengan gejala file berupa folder dan berekstensien exe, nama folder ini adalah gphone.exe. File ini tidak dapat dihapus karena digunakan oleh beberapa aplikasi yang running. Setelah mencoba scanning menggunakan antivirus dan tidak berhasil akhirnya saya putuskan untuk googling. Banyak link saya dapati, tapi karena saat ini menggunakan symantec anti virus maka saya tambahkan keyword symantec gphone.exe, dan untuk definisi serta how to remove ada dibawah ini.
Discovered: December 23, 2008
Updated: December 23, 2008 5:10:28 PM
Also Known As: Worm.Win32.AutoIt.ch [Kaspersky], W32/Yahlover.worm.gen.c [McAfee], Win32.Worm.YahLover.C [BitDefender], AutoIt/Sohanad.AQ [Microsoft], W32/Sohana-BR [Sophos]
Type: Worm
Infection Length: 278,433 bytes
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
The threat may arrive on the compromised computer as the following file that looks like a webcam icon:
14BOQ-PO.exe





When the worm is executed, it searches for the following file on the compromised computer:
C:\Install.txt

If the above file is not present on the compromised computer, the worm creates the following files:
  • %Windir%\gphone.exe
  • %System%\gphone.exe
  • %System%\DEFAULT_NOT_SET.exe
  • %System%\autorun.ini
  • %System%\setting.ini
  • %Temp%\log_[TIME AND DATE].txt


The worm may also create one of the following files on Windows Vista:
  • C:\Documents and Settings\All Users\Desktop\gphone.exe
  • %Temp%\gphone.exe
  • %System%\gphone.exe


The worm runs the following command so that it executes everyday:
AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su %SYSTEM%\gphone.exe

It then creates the following file:
%Windir%\Tasks\At1.job

The worm then searches the computer for the following file:
C:\disk.txt

If the above file is not present on the computer, it copies itself to the following locations:
  • %DriveLetter%\New Folder.exe
  • %DriveLetter%\gphone.exe
  • %DriveLetter%\autorun.inf


The worm then searches the following registry subkey for available network shares:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares

It then copies itself to all available network shares as the following files:
  • [ROOT FOLDER]\New Folder.exe
  • [ROOT FOLDER]\gphone.exe
  • [ROOT FOLDER]\autorun.inf

<< Start < Prev 1 2 3 4 5 Next > End >>
 
[ Back ]

Yahoo Chatt

Blogroll

Dhanuxe
fl3xu5
Kamas Muhammad
Irving Nazmi
Masterpop3
Melwin
Ozie
P. Nanang Sg.
Pataka
Republik Blogger
Yogie
Yusuf Hadiwinata
Vavai

Community

CentOS ID
ECHO
Forum Linux
Kecoak Elektronik
Linux Questions
OS Commerce's Forum
Security Focus
Zimbra ID

Security Advisories

ECHO
IPSecs
Milw0rm
mod_vvisit_countermod_vvisit_countermod_vvisit_countermod_vvisit_countermod_vvisit_countermod_vvisit_countermod_vvisit_counter
mod_vvisit_counterToday228
mod_vvisit_counterYesterday223
mod_vvisit_counterThis week451
mod_vvisit_counterThis month4664
mod_vvisit_counterAll289402

My Google Page Rank

My Google Page Rank