Aliases: N/A for W32.Ceted
Variants: N/A for W32.Ceted

Classification: Malware
Category: Computer Worm

Status: active
Spreading: Low
Geographical info: Low
Removal: Easy
Platform: W32
Discovered: 09 Jan 2008
Damage: low

Characteristics: This is also classified as a backdoor worm. It is said that W32.ceted is a computer worm that attempts to decrease the security level of someone's computer.

More details about W32.Ceted

Consequently creating various files on your system and attempting to copy itself on other computers shared to your network, this virus or worm affects Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista and Windows XP. This virus usually spreads to the network that shares and allows trackers to gain full access and more importantly control in the computer. When the worm is executed, it creates the following files and gives them system, hidden, and read-only attributes: %SystemDrive%\ntdetec1\ntdetec1.exe, %SystemDrive%\ntdetec1\cmrss.exe, %SystemDrive%\ntdetec1\run.exe, %SystemDrive%\ntdetec1\shell32.exe, %SystemDrive%\ntdetec1\drivelist.txt, %SystemDrive%\ntdetec1\child\autorun.inf, and %SystemDrive%\ntdetec1\child\ntdetec1.exe. Indications of infections include duplication or replication of files and sharing of all the files to all shared and removable drives on the compromised computer.

It is also known that the worm monitors all new processes created. If the window title of any process contains one of the following strings, the worm will close that window of Windows Task Manager and Process explorer. Another factor known is that the worm attempts to redirect Google searches to customized search results using the URL. This is the example of the URL,http://www.google.com/custom?hl=en&client=pub-2141221394801249&channel=7215448870&cof=FORID 3A1 3BGL 3A1 3BLBGC 3A336699 3BLC 3A 230000ff 3BVLC 3A 23663399 3BGFNT 3A 230000ff 3BGIMP 3A 230000ff 3BDIV 3A 23336699 3B&ie=ISO-8859-1&oe=ISO-8859-1&q=[ORIGINAL QUERY]. The worm then will restart the computer if the cmrss.exe process is ended.