W32.Amca


Aliases: W32/Amca-A, W32/Autorun-DP, Worm.Win32.AutoRun.dfs, Virus.Win32.VB.cl, Worm:Win32/Autorun.FW
Variants: Trojan-Dropper.Win32.VB.pt, Win32/VB.NLK, Mal/SillyFDC-A, Mal/Emogen-O, Worm.VB.DXQQ, TrojanSpy:Win32/Vwealer.NT

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Low
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 28 Jun 2007
Damage: Low

Characteristics: Perhaps what can be considered as the most dangerous payload of the W32.Amca program is its ability to steal and transmit sensitive data stored in the infected computer system.

More details about W32.Amca

The W32.Amca program makes use of network shares and removable storage to transfer its codes from one machine to another. An execution of the W32.Amca malware will prompt the extraction of various files in the Temp and System folders of the infected hard drive. The nesneller.exe, pac.exe, lil11.dll, mswinsck.ocx, scrrntr.dll, kmon.ocx, ktkbdhk3.dll, acd.cmd, and acd2.cmd are some of the files commonly identified with this threat. It also modifies a certain Windows Registry key to point to the location of its original filename. This means that the malware may transform or rename itself in order to complicate the detection and removal process. Once all files have been extracted and the Windows Registry modified, the W32.Amca program seeks out unprotected network shares or those with weak password protection.

Normally, malicious authors make use of algorithms to detect commonly used passwords to break security protection. Once the password has been broken, the Worm can proceed to copy itself to other computer systems connected to the network environment. The file activexdebbuger32.exe is created by the malware to allow it to infect removable storage devices and use them as transport mechanisms. This file normally carries a hidden attribute to make it invisible to the naked eye and prevent arousing any suspicion from the user. An accompanying autorun.inf file is created by the W32.Amca malware in the removable storage to make sure that it is executed each time the device is accessed by the computer user. Once the Worm has established itself in the host machine, it continues by secretly opening a backdoor to provide its malicious author unhampered access to the infected system.