W32.Annoying.Worm


Aliases: TROJ_NEWPIC.A, W32/Choke.c.worm, Win32.Annoying
Variants: W32/Jerrym, Worm.JerryMsg.A, I-Worm.Newpic, W32/Choke.b.worm

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: North and South America, Asia, Australia
Removal: Easy
Platform: W32
Discovered: 08 Aug 2001
Damage: Low

Characteristics: An infection from the W32.Annoying.Worm is normally marked by the presence of the PIC1324.exe and the 1Read Me.txt files in the main hard drive. This malware requires the MSN Messenger client to be actively running before it can deliver its payload.

More details about W32.Annoying.Worm

Since the W32.Annoying.Worm program requires the presence of the MSN Messenger client, any computer system which does not have this application can still become infected but the malware cannot spread to other machines. When this malware executes, it creates the directory Messenger1324\ Brain in the main hard drive of the machine. This location is supposedly used by the W32.Annoying.Worm program to store bogus instructions on how to remove the malware from the machine. When successfully established in a computer system, it is noted to monitor all incoming messages via MSN Messenger and attempts to communicate with other users chatting with the user of the infected machine. The W32.Annoying.Worm program may also send files to other MSN Messenger users without the knowledge of the account owner.

This malware displays an error message box informing the computer user that a file is corrupted and it should be reinstalled. Part of the payload of this malware is to trick other MSN Messenger users into launching sent files by sending a chat message with the contents "hey, want me to send my new pic? i took it yesterday". A certain registry entry is added into the Windows Registry to establish its presence in the infected machine. Removing the W32.Annoying.Worm malware requires the eradication of its associated Windows Registry key via the Registry Editor tool of the Operating System. The machine must be restarted before any of its file strains can be deleted from the infected computer system.