Malicious Software Encyclopedia: Win32/Antinny
Published:
October 12, 2005
Win32/Antinny is a family of worms that targets certain versions of Microsoft Windows. The worm spreads using a Japanese peer-to-peer file-sharing application named Winny. The worm creates a copy of itself with a deceptive file name in the Winny upload folder so that it can be downloaded by other Winny users.
http://www.microsoft.com/japan/security/encyclopedia/Antinny.mspx
On This Page
Threat Overview
| Class/type | Worm - Program-specific
|
| Discovered | April 22, 2005 |
| Circulating | No |
| Affected operating systems | Windows NT 4.0
Windows 95
Windows 2000
Windows XP
Windows Server 2003
Windows ME
Windows 98
|
| Affected software |
Not specified
|
| Infection rating | Medium |
| Recovery difficulty | Moderate |
| Damage rating | Low |
| Transmission rating | Medium |
Aliases (Also Known As)
Different antivirus vendors may be using different names to refer to this malicious software. Here are some of the names currently in use by antivirus software vendors participating in the Microsoft Virus Information Alliance (VIA):
McAfee:
W32/Antinny.wormSymantec:
W32.HLLW.AntinnyTrend Micro:
WORM_ANTINNY.A
Learn more about the
Microsoft Virus Information Alliance.
Technical Analysis
http://www.microsoft.com/japan/security/encyclopedia/Antinny.mspx
Win32/Antinny may take the following actions:
How to Prevent Infection
Follow these steps to help prevent infection on your system:
Enable a firewall on your computer.
Get the latest computer updates.
Use up-to-date antivirus software.
Enable a firewall on your computer
Use a third-party firewall product or turn on the Microsoft Windows XP Internet Connection Firewall.
To turn on the Internet Connection Firewall in Windows XP
Click Start, and click Control Panel.
Click Network and Internet Connections, and click Network Connections. If you do not see Network and Internet Connections, click Switch to Category View.
Highlight a connection that you want to help protect, and click Change settings of this connection.
Click Advanced, and select Protect my computer and network by limiting or preventing access to this computer from the Internet.
Click OK.
Get the latest computer updates
Updates help protect your computer from viruses, worms, and other threats as they are discovered. You can use the Automatic Updates feature in Microsoft Windows XP to automatically download future Microsoft security updates while your computer is on and connected to the Internet.
To turn on Automatic Updates in Windows XP
Click Start, and click Control Panel.
Click Performance and Maintenance. If you do not see Performance and Maintenance, click Switch to Category View.
Click System.
Click Automatic Updates, and select Keep my computer up to date.
Select a setting. Microsoft recommends selecting Automatically download the updates, and install them on the schedule that I specify and setting a regular update time.
If you choose to have Automatic Updates notify you in step 5, you will see a notification balloon when new downloads are available to install. Click the notification balloon to review and install updates.
Use up-to-date antivirus software
Most antivirus software can detect and prevent infection by known malicious software. You should always run antivirus software on your computer that is updated with the latest signature files to automatically help protect you from infection. If you don't have antivirus software installed, you can get it from one of several companies. For more information, see http://www.microsoft.com/athome/security/downloads/default.mspx
How to Tell If Your Computer Is Infected
Win32/Antinny may display a dialog box with a fake error message in Japanese that resembles this message:
It can also display a graphic such as the following image:
The worm may create a text file in %temp% that begins with the following text:
" ----------------------------------------------------------------
Trillian v0.74E
September, 2003
http://www.ceruleanstudios.com
RELEASE NOTES
----------------------------------------------------------------
Thanks for downloading Trillian!"
The worm can also display a video.
How to Recover from Infection
Automatic Recovery
To attempt to automatically remove this threat, run one of the following removal tools:
Manual RecoveryIt is not possible to recover manually from Win32/Antinny. You must use up-to-date antivirus software to completely clean this worm from your computer. To recover from this worm using antivirus software, follow these steps:
Disconnect from the Internet.
Run up-to-date antivirus software.
Take steps to prevent re-infection.
Disconnect from the Internet
To help ensure that your computer is not actively infecting other computers, disconnect it from the Internet before proceeding by unplugging your network cable or disabling your wireless connection. You can reconnect to the Internet after running antivirus software.
Run up-to-date antivirus software
Run up-to-date antivirus software to completely clean this worm from your computer.
Take steps to prevent re-infection
Do not reconnect your computer to the Internet until the computer is protected from re-infection. See the "Preventing Infection" section for more information.”
Transmission Methods
| Method | Description |
|---|
| File Copy | Worm copies can be uploaded and downloaded by Winny users. |
| Social Engineering | Worm copies that are uploaded and downloaded have arbitrary names. |
Payload Information
| Payload type | Trigger | Description |
|---|
| Creates files | Execution | May drop the following files: A copy of itself with a fabricated name and .exe extension in the following locations:
%temp%
…\Winny\Up
A subfolder of the Program Files folder A text file in %temp% that has a .txt or .mp3 extension Three non-malicious .dll files in <system folder>:
unlha32.dll
zip32.dll
zip32j.dll Files with fabricated names in …\Winny\Up:
A non-malicious .jpg file
A worm archive with an .lzh extension
A worm archive with an .exe extension
|
| Display something | Execution | May play a video or display a graphic or a fake error message in Japanese. |
