Aliases: Trojan:Win32/SystemHijack.gen, Virus.Win32.AutoRun.em, W32.Gexin.a, Win32.Gexin.A, Win32/AutoRun.K
Variants: N/A

Classification: Malware
Category: Computer Virus

Status: Active & Spreading
Spreading: Fast
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 29 Jun 2007
Damage: Low

Characteristics: W32.Gexin.A is a worm that propagates through shared folders and removable drive by continuously searching those drives. It alters “.htm,”.php” and “.asp” files on the compromised computer, through which it also downloads additional malicious content. This worm may steal private information on the compromised computer. This information may lead to the hands of the black market. Confidential email messages and or usernames and passwords can also be sold in the Internet.

More details about W32.Gexin.A

Majority if this worm’s function is to copy itself with the hidden and system files. It drops these files on the windows system directory folders: Svshost.exe, lcg.exe and Autorun.inf . Once present, it modifies the Internet Explorer startpage to www.hao123.com, then disables access to Windows updates. It also continuously searches for “.gho” extension and deletes them if found. Infection starts either with manual execution of the infected file or by simply navigating to the folders containing the infected files, whereby the “Autorun.inf” file could cause automatic execution of the worm. As such, always protect your computer by denying all incoming connections and allow only services you trust and really know. Do not always install or turn on computer services that popped up in your screen.

Experts say this virus is potentially capable of giving almost limitless control power for the remote attacker. The hacker can control the infected machine as if he is really sitting in front of it. Therefore, the specific destructive abilities of this virus will depend on its creator. The hacker may simply gather information about the infected computer. At worst, the hacker can destroy the infected computer and all its files. Moreover, there are reports indicating that the W32.Gexin.A virus can download unsolicited and unwanted files to the compromised machine. It can potentially download any malicious application—from the simplest pop-up advertisements to the harshest worms.