W32.Aidid


Aliases: W32/Aidid.worm, Worm.Win32.Aidid, Worm/Aidid, W32/Aidid-A
Variants: Trojan Horse, WORM_AIDID, Aidid Worm, Worm.Win32.Aidid

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 01 Sep 2004
Damage: Low

Characteristics: The W32.Aidid malware is capable of delivering its payload by using floppy disks as a transport media. The manner of infection usually allows the Worm to append its code to the files contained in the disk. In some instances, the Worm's codes may completely overwrite the contents of the files.

More details about W32.Aidid

The W32.Aidid Worm is considered as a security risk and users who suspect their system is infected with this worm should remove the threat immediately; otherwise, data loss and other system misbehavior including system and performance degradation may be exhibited. When the W32.Aidid Worm is executed, it silently runs in the background to avoid arousing the suspicion of the computer user. It initially extracts the sysmon32.exe file under the System folder of the Windows directory. This main executable file is then used to create a new Windows Registry key. The registry key allows the W32.Aidid malware to gain the ability to automatically load during every bootup of the infected machine. The malware constantly checks for the presence of a floppy disk in an attempt to spread its codes. Once a user accesses the floppy drive, a file named i.did is copied into the floppy disk. The file i.did is actually a text file which contains instructions on how the W32.Aidid malware will drop its payload to other machines. The infected floppy disk can be used to transfer the malicious codes once it is used in a floppy drive of another machine.

This malware has also been observed to terminate critical Windows processes which have the text strings Close, Process Viewer, Configuration, and Registry within them. Manual removal of the W32.Aidid Worm requires the booting up of the infected machine in Safe Mode. This will allow the deletion of its main executable file as well as removal of its key in the Windows Registry. Simply launch the Registry Editor tool and navigate to the registry key folder to remove the entry this program has added. Make sure to save the registry before exiting and reboot the machine to eliminate the infection.