Aliases: Backdoor.Small.HJ [PC Tools], Net-Worm.Win32.Small.g [Kaspersky Lab], WORM_ZOTOB.N [Trend Micro]
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: active & spreadings
Spreading: slow
Geographical info: Europe, North and South America, and some parts of Asia and Australia
Removal: hard
Platform: W32
Discovered: 16 Sep 2005
Damage: medium

Characteristics: The W32.Dafet.A program attacks Microsoft Windows Plug and Play Buffer Overflow Vulnerability.

More details about W32.Dafet.A

When this worm is opened, it automatically downloads and executes the remote file, msvcrtdd.dll, from the IP address It is also considered as a Trojan dropper, which is normally characterized as a variant of Backdoor.Trojan when it runs. It also automatically generates IP addresses which upon its success will enable it to download and open the remote file, update.exe from the compromised computer. This file is the copy of the worm. This Trojan software is capable of using the affected computer’s Internet connection to be able to connect to remote file servers. Once a connection has been established, the Trojan software downloads illicit components on the user’s machine. This may include adware and spyware programs, worm applications, BHOs (Browser Helper Objects), and other viruses.

All the programs downloaded by the W32.Dafet.A program are installed stealthily on the compromised machine. The user is not notified of the presence of these Trojan programs. Both the user’s privacy and security are compromised with the presence of the additional files. Some of these programs are able to gather vital information from the user’s computer. This includes the user’s PII (Personally Identifiable Information). The W32.Dafet.A program may enter a computer when the user accesses websites that have expired security certificates or websites that are embedded with illicit codes. The Trojan program stealthily executes on the user’s computer. It is possible that this Trojan application launches each time the system is rebooted.