Worm:W32/Agent.BTZ: Worms are computer programs that replicate independently by copying themselves to other systems.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
The files "winview.ocx" and "mswmpdat.tlb" holds the log of the files and their location that the malware has installed. The content of these file are encrypted. The file "muxbde40.dll" is the malware itself with a different name.
The worm spreads by creating an AUTORUN.INF file to the root of each drive with the malicious .dll file. The contents of the file are as follows:
[autorun] open= shell\open=Explore shell\open\Command=rundll32.exe .\\[RANDOM].dll,InstallM shell\open\Default=1
Note: [RANDOM] represents a random name that the worm creates for the dll. If the malware detects a new partition, or usb stick for example, it will get infected immediately. The registry keys are used to make sure that the malware gets launched when the computer starts.
Creates these files:
Attempts to download files from:
Sets these values:
Creates these keys:
Date Created: 2008-06-26 15:41:53.0
Date Last Modified: 2008-06-26 16:54:32.0