Win32/RussoTuristo [Threat Name] go to Threat

Win32/RussoTuristo [Threat Variant Name]

Category worm
Size 53326 B
Aliases Worm.Win32.RussoTuristo.f (Kaspersky)
  Worm:Win32/RussoTuristo.A (Microsoft)
  W32.SillyDC (Symantec)
  Win32:RussoTuristo-C (Avast)
Short description

Win32/RussoTuristo is a worm that spreads via removable media. The file is run-time compressed using UPX .

Installation

When executed the worm copies itself in the following locations:

  • %windows%\­Cursors\­services.exe
  • %systemdrive%\­Documents and Settings\­%username%\­Local Settings\­Application Data\­Microsoft\­CD Burning\­Новая папка.exe
  • %systemdrive%\­Documents and Settings\­%username%\­Мои документы\­Новая папка.exe

In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Local Service" = "%windows%\­Cursors\­services.exe"

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer]
    • "NoFolderOptions" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "Hidden" = 0
    • "ShowSuperHidden" = 0
    • "HideFileExt" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "DisableRegistryTools" = 1
    • "DisableCMD" = 0
Spreading

The worm copies itself into the root folders of fixed and/or removable drives using the following name:

  • Новая папка.exe

The worm also copies itself into existing subfolders.


The name of the file may be based on the name of an existing file or folder.

Other information

The worm restarts the operating system if there is a window with any of the following strings in the name:

  • Настройка системы
  • Порно
  • Редактор реестра
  • Результаты поиска

If the current system date and time matches certain conditions, the worm attempts to delete all files and folders stored on the available drives.

Please enable Javascript to ensure correct displaying of this content and refresh this page.