drvddll.exe - Dangerous
drvddll.exe
Manual removal instructions:
Antivirus Report of drvddll.exe:
drvddll.exe
Bagle.z is an Internet worm spreading as an infected email attachment.
Infected message characteristics:
Sender address: random
Subject and attachment name are one from the predefined list.
Attachment characteristics:
.exe .com .scr and .cpl binary code file
.vbs script
.hta html-file
Message body:
There is a wide range of possible message texts.
The message may contain a VBS script; if this is launched by the user, it exploits a Microsoft Internet Explorer vulnerability (Microsoft Security Bulletin MS03-040) which makes it possible to download the executable worm file via the Internet from several dozen infected web sites.
It copies itself to the Windows system directory under the name "drvsys.exe",
and registers this file in the system registry autorun key:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"drvddll.exe" = "%system%\drvddll.exe"
It seraches for and deletes some keys in the system registry related with Firewall or Antivirus programs.
The worm also attempts to connect to a range of remote sites, and to save information about the victim computer on these sites.
The worm searches the computer for files with some extensions and sends itself to all email addresses found in these files.
It uses its own SMTP-server to send messages.
The worm searches the computer for folders where the name contains the word 'shar' and copies itself several times to each folder found, under the names of popular applications, such as ACDSee 9.exe, Adobe Photoshop 9 full.exe, Ahead Nero 7.exe etc.
The worm opens port 2535 and tracks port activity.
The backdoor function makes it possible to remotely execute commands and download files to the victim machine.
The worm attempts to combat antivirus programs and firewalls by terminating required memory processes.
Use RegRun Startup Optimizer to remove this worm from startup.
| drvddll.exe | Malware |
| drvddll.exe | Dangerous |
| drvddll.exe | High Risk |
Infected message characteristics:
Sender address: random
Subject and attachment name are one from the predefined list.
Attachment characteristics:
.exe .com .scr and .cpl binary code file
.vbs script
.hta html-file
Message body:
There is a wide range of possible message texts.
The message may contain a VBS script; if this is launched by the user, it exploits a Microsoft Internet Explorer vulnerability (Microsoft Security Bulletin MS03-040) which makes it possible to download the executable worm file via the Internet from several dozen infected web sites.
It copies itself to the Windows system directory under the name "drvsys.exe",
and registers this file in the system registry autorun key:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"drvddll.exe" = "%system%\drvddll.exe"
It seraches for and deletes some keys in the system registry related with Firewall or Antivirus programs.
The worm also attempts to connect to a range of remote sites, and to save information about the victim computer on these sites.
The worm searches the computer for files with some extensions and sends itself to all email addresses found in these files.
It uses its own SMTP-server to send messages.
The worm searches the computer for folders where the name contains the word 'shar' and copies itself several times to each folder found, under the names of popular applications, such as ACDSee 9.exe, Adobe Photoshop 9 full.exe, Ahead Nero 7.exe etc.
The worm opens port 2535 and tracks port activity.
The backdoor function makes it possible to remotely execute commands and download files to the victim machine.
The worm attempts to combat antivirus programs and firewalls by terminating required memory processes.
Use RegRun Startup Optimizer to remove this worm from startup.
Dmitry Sokolov:
I created UnHackMe in 2006 to fix the problem that antivioruses did not fix: detecting rootkits.
Since that time I work every day to fix the issues that antiviruses cannot.
If your antivirus have not helped you solve the problem, you should try UnHackMe.
We are a small company and you can ask me directly, if you have any questions.