USBToy
Threat LevelDamageDistribution

Effects 

USBToy displays the following message whenever Windows is started:

Its main objective is to spread through USB devices.

Infection strategy 

USBToy creates the following files:

• MSLOGON.EXE, in the Windows system directory. This file is a copy of the worm.
• AUTORUN.INF, in the USB device, if there is any.
• TOY.EXE, in the USB device, if there is any. This file is also a copy of the worm.
  These two files remain hidden in the device.
• SYSTEMNT.EXE in the directory: C:\Documents and Settings\%user%\Start Menu\Programs\Startup
  where %user% is the user that has logged in.
  This way, this file will be run whenever Windows is started.

USBToy uses the Windows API (Application Programming Interface) called SetFileAttributesA in order to hide the files AUTORUN.INF and TOY.EXE and the subfolder STARTUP located in the directory: C:\Documents and Settings\%user%\Start Menu\Programs.

Means of transmission 

USBToy spreads from computers to USB devices and vice versa. In order to do so, it follows the routine below:

• When it is run, USBToy checks if there is any USB device connected to the computer.
• If it finds any, USBToy will infect it by copying two files, which remain hidden, to the device.
• When the infected USB device is connected to other computer, this computer will be also infected by USBToy.

Further Details  

USBToy is written in the programming language Visual C++ v6. This worm is 45,056 bytes in size.