W32.Ackpra.A


Aliases: Trojan.Win32.Qhost.kng, Spy-Agent.dy, Mal/Behav-316, Trojan.Win32.Qhost, Win-Trojan/Agent.185360.B
Variants: Trojan.Win32.Qhost.lhz, W32/AutoAEU-Gen, AdWare.Win32.BHO, Win-Trojan/Inject.163424

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: N/A
Removal: Hard
Platform: W32
Discovered: 10 Jan 2008
Damage: Medium

Characteristics: Consistent with the characteristics of most worm malware, the W32.Ackpra.A worm spreads to other computer systems and networks by copying its codes. It makes use mostly of unsecured network shares and removable storage devices as transport mechanisms. An infection from this malware may lead to the downloading of potentially dangerous codes.

More details about W32.Ackpra.A

The execution of the W32.Ackpra.A worm normally targets the root directory as well as the System folder of the Windows directory of the compromised computer system. In the System folder, this malware is believed to create or overwrite the files winlogon.dll and calc.exe. A number of text files including EnumHost.txt and EnumHostWw.txt are created in the root directory along with the RESSDT.sys file. The presence of these files is an indication of the malware's execution in the computer system. Registry keys for the calc.exe and winlogon.dll files are created in the Windows Registry to allow the Worm to launch together with the Operating System during boot up. The W32.Ackpra.A malware likewise creates other keys in the Windows Registry which point to the location of its main executable file.

The Windows Registry is also used by the malware to disable the options of booting in Safe Mode as well as booting from the Network environment. This is seen as an attempt to complicate its removal process. The RESSDT.sys file may also be registered by the malware as a legitimate Windows service with automatic startup properties. Files with the extension GHO are searched and removed from the system. The files HDM.exe and autorun.inf are generated in all logical drives of the infected machine. This allows the W32.Ackpra.A malware to execute and spread at every instance that a drive is opened by the user. The process is done for all fixed and removable storage drives found in the system. Complexity of the malware makes manual removal almost impossible.