Content
W32/Bindo.worm
- Type
- Virus
- SubType
- Worm
- Discovery Date
- 10/29/2007
- Length
- 139.264
- Minimum DAT
- 5152 (10/30/2007)
- Updated DAT
- 5152 (10/30/2007)
- Minimum Engine
- 5.1.00
- Description Added
- 10/29/2007
- Description Modified
- 10/29/2007 7:25 AM (PT)
Type
Type of threat.
SubType
Additional type information.
Discovery Date
Date that AVERT discovered this threat.
Length
File size, in bytes, of the threat.
Minimum DAT
McAfee DAT files contain detection and repair information for threats. The Minimum DAT field specifies the lowest/oldest DAT version that is capable of detecting the first incarnation of a threat, and the release date. The highest/newest DAT version should always be used for the most complete protection and are available on the Anti-Virus Updates page.
Each description displays the minimum, fully tested, DAT version that includes regular detection for a particular threat. These fully tested DATs are released on a daily basis. If necessary, they are also released when a Medium, Medium On Watch, or High risk threat is discovered. An EXTRA.DAT will also be posted for these more prevalent threats, if necessary.
For each description listed, detection is always available. In the event that the DAT version specified is not yet available, an EXTRA.DAT file may be downloaded via the McAfee AVERT Extra.dat Request Page. Alternatively, minimally tested HOURLY BETA DAT files are available for downloading.
Updated DAT
McAfee DAT files are constantly being updated to enhance detection capabilities. The Updated DAT field specifies the released DAT version that contains the most up to date detection.
Minimum Engine
The scan engine uses the DAT files to detect threats. The Minimum Engine field specifies the lowest/oldest engine version that is capable of detecting this threat. The highest/newest engine version should always be used for the most complete protection and are available on the Anti-Virus Updates page.
Description Added
Date/time this description was published using Pacific Time.
Description Modified
Date/time this description was last modified using Pacific Time.
Tab Navigation
Overview
Detection for this worm was added to cover against a 32 bit PE file called "soundmax.exe" , having a filesize of 139.264 bytes.
Characteristics
Detection for this worm was added to cover against a 32 bit PE file called "soundmax.exe" , having a filesize of 139.264 bytes.
The file is not internally compressed with a packer. The file is written using the MSVC++ development tool.
Upon execution, it runs silently, no gui messages appear on the screen.
It immediately copies itself and creates a registry entry so that the worm gets executed automatically upon system start:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"SoundMax"
Data: C:\Program Files\Sound Utility\Soundmax.exe
Besides that it might change the registry with
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
"Nofolderoptions"
Data: 01, 00, 00, 00
The worm tries to copy itself to shared drives/folders, such as Kazaa/Limewire but also ICQ shared folders. In these it might copy itself as "Sex_ScreenSaver.scr" and/or "Sex_Game.exe".
There's no exploit associated with it, infection starts with manual execution of the worm.
- c:\autoply.exe (size: 139.264 bytes)
- c:\Documents and Settings\##user##\Local Settings\Temp\svchost.exe(size: 139.264 bytes)
- c:\Program Files\Common Files\Microsoft Shared\MSshare.exe (size: 139.264 bytes)
- c:\Program Files\Sound Utility\Soundmax.exe (size: 139.264 bytes)
- c:\WINNT\Web\OfficeUpdate.exe (size: 139.264 bytes)
Besides these it might try to drop/create:
Symptoms
- Presence of a 32 bit PE file called "soundmax.exe" , having a filesize of 139.264 bytes.
- Presence of the mentioned registry modifications
- It might try to drop/create a file called c:\Autorun.inf (size: 301 bytes)
- It might try to drop/create a file called "important.htm" on the desktop, titled Salam - Doste - Man.
Method of Infection
- The worm tries to copy itself to shared drives/folders, such as Kazaa/Limewire but also ICQ shared folders.
- There's no exploit associated with it, infection starts with manual execution of the worm.
Removal
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
Detection for this worm was added to cover against a 32 bit PE file called "soundmax.exe" , having a filesize of 139.264 bytes.
Characteristics
Characteristics -
Detection for this worm was added to cover against a 32 bit PE file called "soundmax.exe" , having a filesize of 139.264 bytes.
The file is not internally compressed with a packer. The file is written using the MSVC++ development tool.
Upon execution, it runs silently, no gui messages appear on the screen.
It immediately copies itself and creates a registry entry so that the worm gets executed automatically upon system start:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"SoundMax"
Data: C:\Program Files\Sound Utility\Soundmax.exe
Besides that it might change the registry with
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
"Nofolderoptions"
Data: 01, 00, 00, 00
The worm tries to copy itself to shared drives/folders, such as Kazaa/Limewire but also ICQ shared folders. In these it might copy itself as "Sex_ScreenSaver.scr" and/or "Sex_Game.exe".
There's no exploit associated with it, infection starts with manual execution of the worm.
- c:\autoply.exe (size: 139.264 bytes)
- c:\Documents and Settings\##user##\Local Settings\Temp\svchost.exe(size: 139.264 bytes)
- c:\Program Files\Common Files\Microsoft Shared\MSshare.exe (size: 139.264 bytes)
- c:\Program Files\Sound Utility\Soundmax.exe (size: 139.264 bytes)
- c:\WINNT\Web\OfficeUpdate.exe (size: 139.264 bytes)
Besides these it might try to drop/create:
Symptoms
Symptoms -
- Presence of a 32 bit PE file called "soundmax.exe" , having a filesize of 139.264 bytes.
- Presence of the mentioned registry modifications
- It might try to drop/create a file called c:\Autorun.inf (size: 301 bytes)
- It might try to drop/create a file called "important.htm" on the desktop, titled Salam - Doste - Man.
Method of Infection
Method of Infection -
- The worm tries to copy itself to shared drives/folders, such as Kazaa/Limewire but also ICQ shared folders.
- There's no exploit associated with it, infection starts with manual execution of the worm.
Removal -
Removal -
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A