Aliases: PE_DETNAT.A, PE_DETNAT.B, W32/Detnat.a, Detnat.A, Win32.Detnat.A, Win32/Detnat.A
Variants: Worm.Win32.Detnat.a, Worm/Detnat.A, Worm/Detnat.A.2, W32.Detnat.E

Classification: Malware
Category: Computer Virus

Status: Active
Spreading: Slow
Geographical info: Asia, North and South America, Europe and Australia
Removal: Easy
Platform: W32
Discovered: 28 Mar 2006
Damage: Medium

Characteristics: W32.Detnat is a type of virus that infects the Windows system with a high destructive threat. Through the network shares, it infects executable or removable files. This virus also downloads PWSteal.Lineage (MCID 4130) and then executes it from known Websites.

More details about W32.Detnat

This virus is a parasitic file infector that looks for network shares and drives for executable files to be infected. It attempts to download and execute PWS-Lineage particularly the MCID 4130. This virus downloads files from http://www.yettz.com/media/image/re.wos, http://www.cinetown.co.kr/mpg/asx/mvp.wos and http://www.cinetown.co.kr/dacom/images/pop.wos. This virus creates a %System%\voot.sys file after its execution. Then, the virus will create a service which is “delphi” to certain registry entries. The “delphi” service will use rootkit technology to enable itself to be hidden from the computer’s host. The downloaded files will be %System%\netrun[RANDOM NUMBER].exe which are variants of PWSteal.Lineage. After dropping its original host file, the virus starts to search for local drives and network connection shares to infect executable files.

The W32.Detnat program makes changes to the Web browser settings. These changes can cause the user to view advertising pages instead of their requested websites. Default pages may also be changed without the user’s consent. The dialer program can also change the dial-up Internet connection configuration. A per-minute number may be accessed, instead of the user’s ISP (Internet Service Provider). This program allows a remote user to control the system. The control is facilitated using Web pages. Any process can be downloaded and executed in an infected system. These are downloaded without the user’s consent. These files are often malicious programs.