W32.Cesca


Aliases: W32.Cesca Fecha
Variants: N/A

Classification: Malware
Category: Computer Virus

Status: active & spreadings
Spreading: slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: easy
Platform: W32
Discovered: 16 Oct 2003
Damage: Low

Characteristics: This virus is intended to multiply on floppy disks. It periodically copies itself to the floppy. This virus uses file names that are chosen randomly from its own list. The author of this virus has written this in Microsoft programming language.

More details about W32.Cesca

This virus uses file names that are chosen randomly from its own list. The filenames it periodically copies to the computer’s floppy drive are A:\Pamela.exe, A:\PracticaIII.exe, A:\Documentomercantil9.exe, A:\Melisa.exe, A:\Cartas.exe, A:\Lennon.exe, A:\Macros.exe, A:\Codific_visual.exe, A:\Avril Lavigne.exe, A:\Trinity.exe, A:\Morfeo.exe and A:\Neo.exe. It may also copy itself to Windows system folders namely, C:\Windows\Menú Inicio\Programas\Inicio\systems.exe, C:\Windows\system\normal.exe, C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\systems.exe, C:\Archivos de programa\Microsoft Office\Office\WINWORD.EXE and C:\Archivos de programa\Microsoft Office\Office10\winword.exe. The application may enter the system via peer-to-peer (P2P) file sharing networks. An infected file may be disguised as a popular download. It can use the P2P-shared folders in infected computers. The worm software can place copies of itself in these locations so that they are spread.

This program can also spread via network shares. If the shared folders are protected with a password, the application will try to guess the log-in. It uses a number of vulnerabilities in the Windows Operating System to do so. This includes the Remote Buffer Overflows RPC DCOM, LSASS and Plug and Play. Backdoors that are already opened may also be used. The application’s components are saved with random file names. These may be placed in the Windows directory or in hidden locations. The files are also added to the system registry startup key.