W32/Antinny.Au is a worm that will infect Windows systems.

Upon execution, the worm copies the following files:

  • svchost.exe in the Windows System\Microsoft folder,
  • winsm.exe in the Windows System folder,
  • [RANDOM].exe in the Windows Temp folder.

    It modifies the registry at the following location to load itself during each startup:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

    It also disables the System Restore.

    The worm attempts to end the following processes:

  • Windows Task Manager (Japanese version)
  • ProcessWalker
  • Process Explorer
  • It also creates the WindowsSecurityManager service.

    The worm checks the current date periodically. The worm may, perform a denial of service attack against the following Web sites, if the day is Monday and the date is between the 1st and 6th of the month.

    http://www.accsjp/[REMOVED]/.or.jp
    http://www2.accsjp/[REMOVED]/.or.jp

    More information can be found at this Proland Software page.