Win32/Antinny is a family of worms that targets certain versions of Microsoft Windows. The worm spreads using a Japanese peer-to-peer file-sharing application named Winny. The worm creates a copy of itself with a deceptive file name in the Winny upload folder so that it can be downloaded by other Winny users.
Installation
When Win32/Antinny.W is run, it drops the following files to the local machine:
%TEMP%\<5 random numerals>.tmp\<4 incremental numbers>.exe - copy of the worm
%TEMP%\<5 random numerals>.tmp\<4 incremental numbers>.jpg - image file
While copying itself, the worm may display the following graphic:
Next, the worm may drop copies of itself to randomly selected folders. The worm borrows an existing filename, and concatenates one of the following strings to create a new filename for the dropped worm copy:
_svchost
_cfg
_spoolsv
_winlogon
_explorer
_system
_quickboot
_config
_start_1
_login
_setup
_env
_loader
_autorun_1
Example:
%ProgramFiles%\Winny\Winny.exe - existing application
%ProgramFiles%\Winny\Winny_env.exe - copy of Win32/Antinny.W
The worm modifies the registry to execute its copy at each Windows start:
Adds value: <Antinny filename, example: "Winny env">
With data: "<Antinny path and filename, example: ""C:\Program Files\Winny\Winny_env.exe" /autorun"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Note: In order for the malware to fully execute it needs any or the following parameters:
/autorun
/logon
/start
Spreads Via…
P2P File Sharing
Win32/Antinny.W searches for the installation path of the P2P application Winny beginning with <root drive>:\*.*. If found, this worm may create the following subfolders with "system" and "hidden" attributes:
Up
Bbs2
Cache2
Down
.FolderSettings
System Volume Information
The worm then adds the newly created folder as a file sharing path by editing the Winny configuration file 'UpFolder.txt', as in the following example:
[Up]
Path=<Winny install path>\<newly created folder>
Trip=
Next, Win32/Antinny.W drops a copy of itself into the newly created folder using any of the following filenames:
AUTOEXEC.exe
MSDOS.exe
ntldr.exe
RECYCLER.exe
System Volume Information.exe
WINDOWS.exe
Other files may be dropped containing high-ASCII characters.
Analysis by Francis Allan Tan Seng