W32.Weakling


Aliases: W32/Weakling, Win 32.Weakling, W32.Piffle
Variants: Virus.Win32.Weakling, Win32/Weakling

Classification: Malware
Category: Computer Virus

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 05 Jul 2007
Damage: Low

Characteristics: The W32.Weakling application is a proof of concept virus that duplicates itself and infects Windows .EXE files in your current directory. This virus affects windows operating system such as Windows 98, Windows XP, Windows 95, Windows Me, Windows Server 2003, Windows NT, and Windows 2000

More details about W32.Weakling

When W32.Weakling virus is executed, it searches for uninfected files in the current directory and randomly selects one of them. When the virus selects a particular file, it creates an .LNK and shortcut link in order to replace the host file. The .LNK file is an archive that carries the host file and the virus code. Once the .LNK is executed on the system, the command line inside carries out the command processor and passes the name of the .LNK file and the debug.exe files as parameters. The command processor will then run debug.exe while the .LNK is utilized as a script to drive it. This script creates a Windows executable in system’s memory. It would then write it into the disk and executes it. After that the created file will open the .LNK, extracts it, runs the host file, and then it finds for another file to infect. The created file is detected as W32.Chiton.gen.

W32.Weakling is functionally similar to W32.Piffle, with the difference that the .LNK format is utilized instead of the Program Information File (PIF) format. In fact, these viruses show no danger to users, they’re just something to occupy the time of virus writers. There are, of course, more worthy pursuits. The W32.Weakling program uses legitimate Windows processes as filenames to avoid being detected and deleted from the user’s computer. It also has rootkit functionality. The processes and files related to this software are not visible on the user’s computer. Once a backdoor has been opened, a remote user may be able to take partial control of the user’s system. This may result in a slower computer performance and system instability. Some important files from the computer may be deleted from the system and information regarding the affected system can be transmitted to the remote user. This includes the computer’s IP (Internet Protocol) address, the operating system and the RAM (Random Access Memory).