W32.Debanpass


Aliases: Win32/Debanpass
Variants: Win32/Debanpass.A

Classification: Malware
Category: Computer Worm

Status: Active
Spreading: Slow
Geographical info: Asia, North and South America, Europe and Australia
Removal: Easy
Platform: W32
Discovered: 16 Oct 2007
Damage: Medium

Characteristics: W32.Debanpass is a self-replicating worm that exclusively infects all drives found on the computer. These drives include the executable drives such as the floppy disk and/or CD drives and USB drive. This worm first appeared on October 16, 2007.

More details about W32.Debanpass

This worm clones itself to be produced on all drives on the user’s computer. Its payload is to attempt to steal sensitive and confidential information. This includes bank details and personal access on different accounts such as email password. Upon execution, the worm creates files such as %System%\crase.exe, %System%\winebay.exe, %System%\url.tmp, %System%\dde.st, C:\tmpsss.log, C:\xxjsnxx.tmp and %DriveLetter%\autorun.inf. Then these files will be added in a certain registry location. The worm has the ability to steal information and details once the host uses his accounts like the bank details on the Internet. It can also monitor Internet Explorer and searches some strings like SIGN IN, EBAY-SIGN IN, IDENTIFICARSE and others. Although its threat level is low, this self-replicating worm allows the attacker for illegal purposes once it is executed on the drives of the computer. The information that is stolen can be used for fraud or any other scam businesses. Identity theft is common nowadays and once your information is collected, you can no longer stop the attacker from using your information.

This application also connects to an IRC server. It may use its own mIRC client to do so. The software logs onto a channel specified in its programming. It will appear to other users as another logged-in user. It may also be able to reply to simple commands with pre-determined responses. The worm software waits for commands from other logged-in users. The program then carries them out. The instructions may be IRC-related. The application can be made to join specific channels and post links to infected servers.