W32.Alnuh


Aliases: W32/VB-DVR, W32/Hooon.worm, W32/VB-DVT, W32/Autorun.worm.de, WORM_HOOON.A
Variants: Trojan.VB.DRUK, Worm.Win32.AutoRun.fs, W32/Autorun-DU, Win-Trojan/AutoRun.40960, Virus.Win32.AutoRun.ad

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 31 May 2007
Damage: Medium

Characteristics: The main payload associated with the W32.Alnuh malware is the lowering of security setting of the compromised computer system. It is likewise responsible for affecting the behavior of various applications like the Registry Editor, Command Prompt, Folder Options, and Windows Task Manager.

More details about W32.Alnuh

This malware is capable of using removable storage devices as transport media to spread its codes. The effects of the W32.Alnuh malware reportedly are isolated to the Arabic and English versions of the Microsoft Windows Operating System platforms. An autorun.inf file is dropped into the removable storage device in order to activate the autoplay function. This allows the W32.Alnuh to execute its codes once the device is used in another computer system. The payload delivered by this malware also extends to all available network shares found in the compromised system. When the computer user of the compromised machine attempts to launch the Windows Task Manager tool, a display message is placed on the screen.

The message window prompts the computer user to attempt to launch again the Task Manager tool after clicking on the OK button of the message box. This however will not resolve the problem since the W32.Alnuh program prevents the use of the tool by design to make sure that its background processes will not be terminated. The malware also monitors the title of open windows to identify what services and processes it will terminate. The file Sys.exe is also created by the malware in the hard drive and all other available storage devices attached to the infected computer system. In the hard drive, this executable file is stored in the Web folder under the Windows directory.