Aliases: W32/Baki.A
Variants: Heular W32.Baki.C, W32.Baki.D

Classification: Malware
Category: Computer Worm

Status: Active and Spreading
Spreading: Moderate
Geographical info: Asia
Removal: Easy
Platform: W32
Discovered: 09 Nov 2007
Damage: Low

Characteristics: The W32.Baki.A malware is a network aware worm that spreads its infection through copying its code to removable and local drives. This malware is also known to deactivate several security associated processes that are running on the infected machine.

More details about W32.Baki.A

The W32.Baki.A program is a network aware worm than can lower the security settings on the compromised computer by disabling its security-related processes. It can spreads by copying itself to removable and local drives. It creates several files when executed in the compromised machine. These files include C:\ Windows\ Documents and Settings\ All Users\ Documents\ Music.exe, C:\ Windows\ Documents and Settings\ All Users\ Start Menu\ Programs\ Startup\ Empty.pif, C:\ Windows\ ime\ imjp8_1\ applets\ lsass.exe, C:\ Windows\ mui\ smss.exe, C:\ Windows\ pchealth\ ERRORREP\ QHEADLES\ smss.exe, C:\ windows\ Autorun.inf and C:\ Windows\ SoftWareProtector\ Error_out.pr. The file Autorun.inf is dropped by the worm so that it can execute whenever the drive that the file is located in is accessed. The filename Open.exe is used by the worm to spread itself in all removable and local drives of the infected computer system.

The W32.Baki.A worm will also set some attributes of the folders C:\ Windows\ system32 and C:\ Windows\ Fonts to hidden. The worm will then create a certain registry entry to ensure that it starts when Windows starts. It will likewise modify certain registry entries to carry out its purpose of lowering the system's security settings. Then, it will create, alter, and delete a host of other registry entries for its malicious purposes. Next, all processes that the worm deems security related will be terminated. These processes may include the ashdisp.exe, ashavast.exe, ashserv.exe, ashmais.exe, aswupdsv.exe, ashwebsv.exe, AVS 2007.exe, avgcc.exe, mcmnhdlr.exe, McVSEscn.exe, mcshield.exe, MsAutoPro.exe, McVSftsn.exe, nod32krn.exe, nod32kui.exe and nod32.exe. The W32.Baki.A worm will also try to terminate windows titled with the strings ANT, ANT, AVAS, AUTO, AVAST, AVS, AVG, CLEA,BUG,CONSOL, COMPON, DETEC, ESSET, ESSE, KAV.KASP, MANAGEMENT, KILL, MACAFEE, MCA, MECHAN, NOD32, NOD, NORTON, NOR, PAND, REG, PROC, REMOV, REGISTRY EDITOR, SECUR, SCAN, SUPPORT, TASK, SYMAN, UNH, TRIA, UNLO, UNHO, VIR, W32 and VIRUS.