W32.Babelloh


Aliases: Win32/Meredrop, W32/AutoRun-GW, Worm.Win32.AutoRun.cd
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active and Spreading
Spreading: Moderate
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 05 Dec 2007
Damage: Medium

Characteristics: The W32.Babelloh is a network aware worm that is capable of copying itself to removable hard drives and shared folders of the compromised computer system. It is also able to open up a backdoor in the infected machine.

More details about W32.Babelloh

Allegedly, the W32.Babelloh program can open a backdoor port on infected computer, allowing remote unauthorized access. This worm can copy itself to shared folders and removable drives. Once in the compromised system, this program will create the mutex ("NameOfMutexObject2"). This mutex is used so that only one instance of the W32.Babelloh worm runs in the computer. It will also create the files cblogsvr.ini, spoolssv32.exe, mgrShell.exe, and wmiprvse.exe in a drive of the infected machine. The worm will also create the files L4SD\ 1CE993C1.db and the ~RHF524.log in the Temp folder. The W32.Babelloh worm can also create some files with system and hidden attributes on mapped and removable network drives. These files include the autorun.inf, recycler, RECYCLER\ desktop.ini and RECYCLER\ desktop.exe. The worm also copies and spreads the encrypted file RECYCLER\ [8 hexadecimal characters].db to local .docx, .ros and .doc documents. The worm W32.Babelloh will also create some registry entries to enable it to run when Windows starts up.

The W32.Babelloh worm also checks if the machine is connected to the Internet by accessing the website http://windowsupdate.microsoft.com. The worm will then drop more malicious software to the already infected machine which will open up a backdoor and try to connect to pre-determined websites such as http://qack.nu, http://lack.bpa.nu and http://pbwoman.6600.org on TCP ports 8088 or 8080 and 80. To completely remove the worm W32.Babelloh, you would have to remove all the files it dropped to the machine and delete the registry entries it uses to run at every startup. You would also have to restore the values it has altered in the registry subkeys to their default settings.