I am definitely sure that you don’t want to experience slow computer performance, loss of data or
the release of private information to websites. What bewilders me in this situation is the heap of viruses that regularly annoy users on their daily surfing of the Internet.
This time the potential security risk, sys32dll.exe also known as the aimdes.b worm is causing alarms to ring. In hopes of helping to make you understand and recognize this particular virus let’s take into consideration the following symptoms of the worm and the action process, once the aimdes.b worm is in your system.
It should be stressed that aimdes.b worm is a virus with the aim to exploit a serious vulnerability, which may lead to severe damage to your system. Being a simple worm that propagates via AOL Instant Messenger, W32.Aimdes.B attempts to disable the use of different system utilities and disables security notifications.
| Also Known As: | IM-Worm.Win32.Aimes.b, Worm_Aimides.B, TrojWare.Win32.Trojan.Agent.Gen, W32.Aimdes.C@mm |
| Type: | Worm |
| Systems Affected: | Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP |
During the execution the worm performs the following actions:
1. It creates the following files:
- C:\party!!.pif
- %UserProfile%\Start Menu\Programs\Startup\Norton.exe
- %Windir%\sys32dll.exe
Notes:
- %UserProfile% is a variable pointing to the current user’s profile folder. By default, this is C:\Documents and Settings\ (Windows NT/2000/XP).
- %Windir% is a variable referring to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).
2. The aimdes.b worm adds one of the following values:
“sys32dll” = “%Windir%\sys32dll.exe”
“MsVBdll” = “%Windir%\sys32dll.exe”
to the registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
3. Also, it adds the following registry entries:
“FirewallDisableNotify” = “1″
“UpdatesDisableNotify” = “1″
“AntiVirusDisableNotify” = “1″
to the following registry keys
HKEY_CURRENT_USER\Software\Microsoft\security center
HKEY_LOCAL_MACHINE\Software\Microsoft\security center
This is an attempt to disable firewall and antivirus notifications as well as the update status, through the Windows Security Center.
4. Then, the worm adds the following registry entries:
“DisableTaskMgr” = “1″
“DisableRegistryTools” = “1″
to the registry key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Policies\System
to disable access to the Windows Task Manager as well as registry editing tools.
5. Adds the registry entry:
“NoAutoUpdate” = “1″
to the registry key
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
to disable automatic Windows Updates.
6. After that it will delete the following registry value:
“Windows” = “Auto Update.exe”
if detected at the specified location:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Run
7. It sends keystrokes to open AOL Instant Messenger windows causing the following message to be sent:
Message:
“Hey I went to a wild party last week! check out the pics!!!!”
Attachment:
C:\party.pif!!
8. The worm attempts to terminate the following processes:
- svchost.exe
- lsass.exe
Remember all the threat symptoms stated above in order to identify and avoid the aimdes.b worm .
Resources:
system32.dll file information
Technical details of the threat
Review on the file
Aimdes.b worm is a virus
May 20, 2010 at 20:28:46
If you want to buy a car, you will have to receive the <a href="http://lowest-rate-loans.com/topics/hom e-loans">lowest-rate-loans.com</a>. Moreover, my mother all the time takes a sba loan, which is the most reliable.