Aliases: W32/Annew-A, Pahooka.A
Variants: Worm.Win32.Delf.dr, Backdoor.Win32.Hupigon, Mal/Sily-A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: Asia
Removal: Easy
Platform: W32
Discovered: 08 Feb 2007
Damage: Medium

Characteristics: This Worm is capable of taking advantage of removable storage devices as well as vulnerable network shares to spread its codes. An infection from the W32.Annew.A malware copies an instance of itself in the hard drive as well as all removable storage devices causing failure in some system critical tools.

More details about W32.Annew.A

When the infection from the W32.Annew.A program is initiated, an accompanying autorun.inf file is placed in all removable and shared storage devices. This results in the automatic launching of the malware when a computer user accesses the device. The routine is partly responsible for the successful spreading of the W32.Annew.A program to other computer systems and across network environments. A number of EXE, PIF, and BAT extension files are extracted by this malware into the infected computer system. These files are strategically placed in various folders and subfolders in different directories. This is seen as an attempt of the malicious author to complicate the detection and removal process for the W32.Annew.A malware. There is a very huge possibility that some files will have multiple copies in one or more locations depending on the number of times that the malware is executed.

If the W32.Annew.A program goes into an endless loop, the result can be a frozen computer system due to the unnecessary allocation of system resources. The System Restore tool of the Operating System is also disabled by the malware using the Windows Registry key. This prevents the computer user from restoring a healthy version of the system into the infected machine. An error message with the title Application Error and containing the text 0xFFFFFFFF in the message body is displayed on the computer screen. The malware also attempts to terminate system critical processes along with running antivirus and similar security programs. This allows it to connect to remote addresses to download more malicious codes.