W32.Antiqfx.B.worm


Aliases: Win32.HLLW.AntiQFX.b, Win32/AntiQFX.B, W32/Antiqfx.worm.b
Variants: W32/Antiqfx.worm, W32/AntiQFX-A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: N/A
Removal: Hard
Platform: W32
Discovered: 19 Mar 2001
Damage: High

Characteristics: The W32.Antiqfx.B.worm application belongs to the W32.Antiqfx.worm family which is known to be a network aware malware. This means that this threat can spread across network environments using unprotected or weakly secured network shares. It is believed to look for specific file types and filenames which are deleted from the machine.

More details about W32.Antiqfx.B.worm

The main executable file of the W32.Antiqfx.B.worm malware is the Mscdex.exe file which it appends to the autoexec.bat file when present in the machine. This malware is capable of enumerating all network resources and makes use of this information to install an instance of itself in every Startup folder of the attached clients. Whenever possible, it attempts to install itself in the Startup folder of the Administrator account for the infected computer system. This allows the W32.Antiqfx.B.worm program to launch automatically at every startup or reboot instance of the infected machine. This malware makes use of a mutex in order to mark an infected computer system so that only one instance of this threat is executed at any given time. In case two instances of the W32.Antiqfx.B.worm program are executed, the last instance to launch will be terminated automatically. The files using the extensions BTH, MAR, GLY, ISP, POS, BRU, QFO, QUE, CAT, LUT, or LSO are searched by this malware and when found are deleted by the malware from the infected computer system.

Specific executable files like Aver.ini, Amwin1.dll, Amcc.dll, Avermagic.exe, Amagic.exe, Qfxwin.exe, Qfxwin.ini, Qfxwin1.dll, and Qfxcc.dll are also searched and when found, they are not only terminated from the running processes but completely removed from the machine. A HASP layer protects the main executable file of this malware which was written using the C++ programming language and makes use of the PEPACK packing method. The complexity of this malware requires the use of an updated antivirus application to completely remove it from the infected system.