Aliases: N/A
Variants: N/A

Classification: Malware
Category: Computer Virus

Status: Dormant
Spreading: Slow
Geographical info: Europe, North and South America, and some parts of Asia and Australia
Removal: Easy
Platform: W32
Discovered: 22 Nov 2003
Damage: Low

Characteristics: This is described as a polymorphic Windows virus that patches itself to executable files. Reports also say that infected files increase in size by approximately 4-6Kb. All platforms of Windows Operating System can be attacked and infected by W32.Notime. It also has a monitoring function that checks if the current month and or day is equal to a stored value.

More details about W32.Notime

If the current month and day does not equal the value it was set upon, the worm then will find the following folders for files that have the extensions “.exe,”.scr” and “.cpi” to contaminate either the current folder, windows directory, or system folders. It also modifies the entry point of original file. The worm patches itself to the original file for it to infect the file. This is done, so that file will be executed before the original file. Another identifiable sign of this worm being present in the system is by seeing a series of dialog boxes that tell a story. It then enters an endless loop through which it continuously opens and closes the “CD” drive. Other reports also say that it passes control back to the original host program. Due to bugs reports, it is likely to crash the execution of a file if executed on the same day as it was infected.

The W32.Notime application is usually installed without the consent of the user. It makes use of deceptive tactics to facilitate its integration into the targeted computer. Most often, it may find its way to the computer when the user download or installs files from unsafe and unverified sources. It can also be downloaded and installed directly from the Internet especially when the user visits questionable websites. Once the W32.Notime program is run, it creates its own registry keys and registry values to execute its payload. It has the ability to run on its own particularly after the user performs a Windows startup.