Aliases: Generic BackDoor, WORM_RUNAUT.B, Win-Trojan/Xema.variant
Variants: Backdoor.Delf!sd6, Backdoor.Win32.Delf.pes, Mal/Packer, Mal/EncPk-E, Trojan-Dropper.Delf

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia
Removal: Easy
Platform: W32
Discovered: 12 Jun 2007
Damage: Low

Characteristics: The W32.Arpiframe Worm is capable of influencing the online behavior of the Web browser by injecting harmful HTML type codes into the current HTTP traffic. This means that an infected computer system is extremely vulnerable once an active connection to the Internet is available.

More details about W32.Arpiframe

An execution of the W32.Arpiframe malware into a vulnerable computer system will result in the dropping of multiple files into the System folder of the Windows directory. The wuclmi.exe (a computer hacking tool), services.exe (copy of the WUCLMI file), wincgf.exe (installer of WinPCap libraries), and capinstall.exe (wincfg.exe file copy) files are commonly associated with an infection from this malware. Running the WinPCap installer in the system background will allow the W32.Arpiframe to create the files NetMonInstaller.exe, daemon_mgm.exe, rpcapd.exe, npf_mgm.exe, Packet.dll, wpcap.dll, pthreadVC.dll, WanPacket.dll, and drivers\ npf.sys under the System folder of the Windows directory. Antivirus developers believe that these extracted files are basically clean but are required for malware payload delivery. Once the installation of all the files has been completed, the malware will delete the capinstall.exe file from its original location. The local subnet addresses are then gathered by the W32.Arpiframe malware to prepare an attack on all network clients where the infected machine belongs to. This is where the WinPCap libraries are used by the malware.

The Worm adds dangerous IFRAME commands into the local HTTP traffic. This will result in other computer systems in the network forced to connect to a predetermined website by redirecting the Internet Explorer browser. The W32.Arpiframe malware will then initiate a forced downloading of a copy of the Worm along with other malicious codes into the compromised machines. The exploits associated with the W32.Arpiframe Worm are believed to exploit ActiveX and Graphics Rendering Engine GDI vulnerabilities of the Microsoft Windows Operating System platform.