Worm:MSIL/Shaskooth.A is a worm that spreads via logical and removable drives, and may display a message on the affected user's computer.
When executed, Worm:MSIL/Shaskooth.A copies as the following:
Note: <startup folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the Startup folder for Windows 9x, Me, NT, 2000, XP and 2003 is '%USERPROFILE%\Start Menu\Programs\Startup'. For Windows Vista and 7, the default location is '%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'.
It also copies itself to the following FAT or FAT32 (File Allocation Table) drives:
<FAT drive>:\ p4P1SnVUacC9D5InNvT19YpR\Inv.exe (for example,
<FAT drive>:\<directory name>.exe
(for example, F:\wow.exe)
where <FAT drive> is the letter designation of a FAT or FAT32 drive on the affected user's computer, and <directory name> refers to any directories that are in the top level of the drive.
Worm:MSIL/Shaskooth.A notes all the directory names, then copies itself to each drive as the directory name with 'hidden' and 'system' attributes. For example, if the worm were to locate a directory called "wow" on the F:\ drive, it would copy itself as "F:\wow.exe".
Worm:MSIL/Shaskooth.A may also make the following changes to the registry:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: " innv"
With data: <worm location>
Logical and removable drives
Worm:MSIL/Shaskooth.A then writes an autorun configuration file named 'autorun.inf' pointing to the FAT and FAT32 drives. When the FAT or FAT32 drive is accessed from a computer supporting the Autorun feature, the malware is launched automatically.
Worm:MSIL/Shaskooth.A has been observed deleting all .Lnk files on the FAT drive of the affected user's computer.
Worm:MSIL/Shaskooth.A displays the following message for a short period of time at specified intervals:
Analysis by Michael Johnson