W32/Bindo.worm

system · 2007-11-06T19:11:41.000Z

Hi friends.
Avast does not recognize the W32/Bindo.worm
How can I get rid of this worm ?

MCAfee seems to recongnize this worm. check http://vil.nai.com/vil/content/v_143482.htm

Regards.
James.

Lisandro · 2007-11-06T21:32:12.000Z

Can you send the samples to virus@avast.com ?
You can zip and password the files… Inform a link to this thread and the password used.
You can send the files to Chest and, from there, resend to Alwil for analysis.
Thanks.

polonus · 2007-11-06T21:36:54.000Z

Hi hamidr86,

Here are the virus’s characteristics:
Overview -

Detection for this worm was added to cover against a 32 bit PE file called “soundmax.exe” , having a filesize of 139.264 bytes.
Characteristics
Characteristics -

Detection for this worm was added to cover against a 32 bit PE file called “soundmax.exe” , having a filesize of 139.264 bytes.

The file is not internally compressed with a packer. The file is written using the MSVC++ development tool.

Upon execution, it runs silently, no gui messages appear on the screen.

It immediately copies itself and creates a registry entry so that the worm gets executed automatically upon system start:

*  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "SoundMax"
    Data: C:\Program Files\Sound Utility\Soundmax.exe

Besides that it might change the registry with

*  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "Nofolderoptions"
    Data: 01, 00, 00, 00

The worm tries to copy itself to shared drives/folders, such as Kazaa/Limewire but also ICQ shared folders. In these it might copy itself as “Sex_ScreenSaver.scr” and/or “Sex_Game.exe”.

There’s no exploit associated with it, infection starts with manual execution of the worm.

* c:\autoply.exe (size: 139.264 bytes)
*  c:\Documents and Settings\##user##\Local Settings\Temp\svchost.exe(size: 139.264 bytes)
*  c:\Program Files\Common Files\Microsoft Shared\MSshare.exe (size: 139.264 bytes)
*  c:\Program Files\Sound Utility\Soundmax.exe (size: 139.264 bytes)
*  c:\WINNT\Web\OfficeUpdate.exe (size: 139.264 bytes)

Besides these it might try to drop/create:

c:\Autorun.inf (size: 301 bytes)

A file called “important.htm” on the desktop, titled Salam - Doste - Man.

Symptoms
Symptoms -

* Presence of a 32 bit PE file called "soundmax.exe" , having a filesize of 139.264 bytes.
* Presence of the mentioned registry modifications
* It might try to drop/create a file called c:\Autorun.inf (size: 301 bytes)
* It might try to drop/create a file called "important.htm" on the desktop, titled Salam - Doste - Man.

Method of Infection
Method of Infection -

* The worm tries to copy itself to shared drives/folders, such as Kazaa/Limewire but also ICQ shared folders.
* There's no exploit associated with it, infection starts with manual execution of the worm.

Removal -
Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher

pol

Announcements