W32.Simouk


Aliases: N/A
Variants: N/A

Classification: Malware
Category: Computer Virus

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Hard
Platform: W32
Discovered: 23 May 2009
Damage: Medium

Characteristics: The W32.Simouk program is a virus that contaminates .exe files on the compromised computer.

More details about W32.Simouk

The W32.Simouk program is a virus that contaminates executable or .exe files on the compromised PC system. When the W32.Simouk virus is opened, it makes “%CurrentFolder%\[INFECTED FILE NAME].url” and “%CurrentFolder%\[INFECTED FILE NAME].msi” files for each file it contaminates. Then the W32.Simouk virus infects executable or .exe files located on the compromised PC by moving and encrypting 32,768 bytes of the host executable or .exe data into a separate file with the name “[INFECTED FILE NAME].url” in the current directory. The virus copies itself into the first 28, 672 bytes of the original file. When a contaminated file is opened, it looks for the “%CurrentFolder%\[INFECTED FILE NAME].url” file. Then it duplicates the file “[INFECTED FILE NAME].exe” to “[INFECTED FILE NAME].exe.lnk.”.

The W32.Simouk virus reads the “[INFECTED FILE NAME].url” file and interprets the encrypted original data, writing it to “[INFECTED FILE NAME].exe.lnk”. Then, it launches the host file to try to cover itself. The virus then links to a fixed host and once connected; it tries to download any of the “Additional configuration file”, “Additional malware”, or “An updated version of itself” items. Take note that the remost host can be the “easycf.51.net” domain. A computer that is infected with this worm program runs noticeably slower than usual. This is because of the numerous activities being executed on the user’s machine. This worm program is also known for terminating the processes that are related to security applications that are protecting the computer. This makes the worm program difficult to detect and remove from the computer.