Worm:Win32/Slenping.X is a detection for a worm that spreads to other computers by copying itself to mapped and removable drives and via Instant chat applications MSN Messenger and AOL Messenger.
Installation
When run, the worm will modify the registry to bypass the Windows firewall.
Adds value: "<path and file name of Worm:Win32/Slenping.X when run>"
With data: "<path and file name of Worm:Win32/Slenping.X when run>:*:Enabled:Cftmon32"
To subkey: HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\
StandardProfile\AuthorizedApplications\List
Adds value: "<path and file name of Worm:Win32/Slenping.X when run>"
With data: "<path and file name of Worm:Win32/Slenping.X when run>:*:Enabled:Cftmon32"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\
StandardProfile\AuthorizedApplications\List
Next, the worm copies itself as the following file:
%USERPROFILE%\Application Data\afd.exe
The registry is modified to run the worm copy at each Windows start.
Adds value: "Cftmon32"
With data: "%USERPROFILE%\Application Data\afd.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Adds value: "Cftmon32"
With data: "%USERPROFILE%\Application Data\afd.exe"
To subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
Spreads Via…
Mapped and removable drives
Worm:Win32/Slenping.X copies itself to mapped and removable drives. The worm then writes an autorun configuration file named "autorun.inf" pointing to the worm copy. When the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically.
Internet chat clients
The worm composes messages containing a hyperlink pointing to a remote hosted copy of the worm to user contacts of the Internet chat applications AOL Messenger and MSN Messenger. Recipients that receive the message may become infected by visiting the link and allowing the downloaded worm copy to run.
Analysis by Jaime Wong