Aliases: PE_NOV20.A, Virus.Win32.Nov, Virus:Win32/Notw.A, W32/Nov, W32/Nov.A
Variants: Virus.Win32.Nov, Win32.Nov, W32/Varra, WIN.EXE.Virus, W95/Nov20-A

Classification: Malware
Category: Computer Virus

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 10 Jun 2003
Damage: Low

Characteristics: The W32.Varra application is a simple virus that infects .exe files on all the local hard drives. It doesn’t have a payload. This program affects all windows systems.

More details about W32.Varra

Once W32.Varra is made active, it will launch the already infected host into a separate method. Then, it will infect all the files on all the local hard drives. To prevent itself from being active in more than one instance, this virus will make an event that it queries every time it is activated. Thus, if the event had already taken place, then it will pass control to the original host program. This virus searches for all files with.exe extension and infects it. During its search, W32.Varra skip files such as RUNDLL32, RAV, RUNONCE, LSASS, WINLOGON, SERVICES, SPOOLSV, SCANREGW, and MSTASK. Because of bugs in the virus, some of these would only infect the files in a limited number and they only infect files on specific hard drives.

This W32.Varra program enters a computer through system vulnerabilities. The Trojan program takes advantage of these exploits to be able to enter the computer. The Trojan software does not get the user’s approval before installation. It also bypasses the usual installation procedure. It does not present the user a EULA (End User License Agreement) before installation. A computer can be infected with this application and other threats while accessing websites that are not secure. This is especially the case when the user’s machine is not protected by a security program or a firewall.