Companion worms making it harder to discover malware


A new series of worms (called Downloader.Agent.awf by some AV products) read infected computer's HKLM (or HKCU) \Run keys to find previously installed programs.

Then the worm copies the original executable to a new location, and replaces the original copy with a copy of the worm. When the computer executes the \Run keys, it runs the worm instead, which then launches the original program. Security Adviser | InfoWorld | Companion worms making it harder to discover malware | October 15, 2006 09:38 AM | By Roger Grimes

Linked by shanmuga Monday, 16th October 2006 9:49PM