W32.Darker.Worm


Aliases: Worm.P2P.Darker.d, P2P-Worm.Win32.Delf.m, W32/Darker.worm!p2p, TR/Delphi.Downloader.Gen
Variants: Win32.Darker.B, Win32.Darker.A

Classification: Malware
Category: Computer Worm

Status: Active
Spreading: Slow
Geographical info: Asia, North and South America and Europe
Removal: Easy
Platform: W32
Discovered: 04 Nov 2003
Damage: Medium

Characteristics: W32.Darker.Worm is a worm that self-replicates from networks that share file through peer to peer (P2P) applications. It usually contacts an IRC service which allows another user to make commands on the system. This worm is written in Borland Delphi. It is filled with UPX.

More details about W32.Darker.Worm

Once the W32.Darker.Worm application enters the system, it creates a number of files. Its main executable file is often stored in the System directory. Random file names are used to avoid detection. It seldom uses the same file name for its components. Registry entries are also made to allow the program to run at system startup. Users report that its processes may be listed in Task Manager as a system device driver. Since this worm also copies itself through networks shared, the worm easily spreads throughout the system. Once the user accepts the command from another user which is the hacker, the worm replicates itself to the directory as svchost.exe. Afterwards, it adds a certain Registry key value. After the installation, an access is made to contact the IRC server that permits the hacker to give commands such as executing and terminating files.

The worm attempts to propagate through Kazaa or Kazaa Lite, Morpheus or Grokster. Sometimes, it also spreads through email using MAPI with the following characteristics - Subject: Microsoft Windows OutLook Express urgent updates; Attachment: SVCHOST.EXE. This allows the worm to email itself to all the contacts in the email address book. After a successful connection is made, the worm is active in the system permitting executable commands from another user. The remote user then can remove the antivirus software installed in the system, delete or copy files, etc.