W32.Addsones


Aliases: Trojan.Gagads.A, Worm.Win32.AutoRun.p, W32/Sobarbo, Worm.Win32.SubRest.a
Variants: Win32.AutoRun.H, PE_AGENT.ZAE, Mal/Packer, Trojan-Dropper.Win32.Interlac.10.B, Win32/Autorun.worm.372063

Classification: Malware
Category: Computer Virus

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, Europe
Removal: Easy
Platform: W32
Discovered: 09 Sep 2007
Damage: Low

Characteristics: Based on instances of infections, the W32.Addsones virus is capable of spreading its code using removable storage devices. Its presence may allow uncontrollable display of popup windows for various Internet advertisements. Believed to be a network aware variant, it can compromise other computer systems attached to an infected network environment.

More details about W32.Addsones

When the W32.Addsones virus is executed, it targets the System folder of the Windows directory. It drops various files into the folder which may have the extension EXE, CFG, DLL, and DAT among others. These files are then used by the virus to generate a corresponding CTFMON process with an associated registry entry. The modification of the Windows Registry allows the virus to immediately load together with the Operating System. One of the most damaging effects of an infection from the W32.Addsones virus is that it takes over most of the executable files stored in the computer system. As a result, many applications may fail to load when launched by the computer user. The executable files are normally modified by the virus by appending its codes. This results in the increased size of the executable file which is usually 305,503 bytes bigger than the original size.

Removable storage devices are normally infected using an autorun.inf file. This file allows the virus to execute once the computer user accesses the contents of the removable drive. Since the virus has a certain degree of control over the Web browser, it may send periodic reports to the author regarding the online activities of the computer user. The manual removal of the W32.Addsones virus requires the disabling of the System Restore option. This is done to prevent the Operating System from creating a restore point which includes the virus and infected files. The system then needs to be booted into Windows prompt and manually delete the associated files.