W32.Icabdi.A


Aliases: PE_ICABDI.A, Win32.Icabdi.A, Win32/Icabdi.A, Icabdi.A
Variants: JS/Icabdi, W32/Icabdi-A, Trojan-Dropper.Win32.Agent.akc

Classification: Malware
Category: Computer Virus

Status: Dormant
Spreading: Slow
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 05 Mar 2006
Damage: Low

Characteristics: The W32.Icabdi.A belongs to a group of viruses which are commonly called as proof of concept. These viruses are designed by authors not for the delivery of damage to a particular computer system but rather to point out a possible vulnerability in a particular system or application. This specific virus was created precisely to emphasize vulnerabilities in XSN format files. These types of viruses are normally sent to antivirus developers to patch up the loopholes.

More details about W32.Icabdi.A

XSN format files are primarily cabinet compressed archive files which contain XML format files. This file format is used by specific applications mostly during the installation process. Execution of the W32.Icabdi.A initially creates a temporary folder to be used specifically by the malware. It will then search the current folder for the presence of the XSN format files and places a copy into the malware's temporary folder. The W32.Icabdi.A will attempt to extract the contents of the XSN file and modify its contents. The W32.Icabdi.A will inject malicious codes at the start of the OnLoad function of the XDocument section. The result of this routine is that it will launch the malware each time the infected XSN format file is accessed by the application.

The W32.Icabdi.A will refrain from infecting XSN format files that do not have this function or has the iCab text in its body. The malware will create a new text format file where a list of the files that are stored in the original version of the XSN file will be kept. These files will be repacked by the W32.Icabdi.A into a new file using the CAB format. This new file will replace the original XSN to institute the infected script. After completing its infection routine the W32.Icabdi.A will attempt to delete its temporary files and all its contents.