Aliases: W32/Debsis, W32/Debsis.A
Variants: Win32/AutoRun.EE,Virus.Win32.AutoRun, Win32/AutoRun.EE

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Slow
Geographical info: Some parts in Asia, North and South America, Europe and Australia
Removal: Easy
Platform: W32
Discovered: 05 Dec 2007
Damage: Low

Characteristics: W32.Debsis.A purportedly spreads by copying itself to unsecured network shares and removable media drives. Its threat control is easy to remove since it does not damage the whole computer system.

More details about W32.Debsis.A

The W32.Debsis.A application also places its files in the hard disk. It may create more than one copy of its main executable file. This is so it can re-spawn even after an attempt has been made to delete it. The file names used are typically associated with legitimate files. This W32.Debsis.A application also spreads by copying itself to any network shares and removable media drives in the computer. Once the worm is successfully launched, the mutex: AFXOnlyOneInstance is created. This means that one copy runs at a time only, then, the worm creates the following files: %ProgramFiles%\Network Associates\VirusScan\svchst.exe; %System%\drivers\inc\sysdeb.ini; %System%\drivers\inc\HPsys. After that, it creates a certain registry entry once the Windows starts.

Allegedly, this program may also use random strings of characters. This is to prevent detection and removal. Registry entries are also created so the program’s processes run once the system starts. Once it has entered the system, it will try to spread to others. It may drop infected files in shared network files. It may also place an infected file in a folder shared via peer-to-peer (P2P) programs. These are commonly named as popular media files to facilitate download. This propagating worm can also create a file (%DriveLetter%\Recycler\Recycler\autorun.exe) on all executable drives such as the floppy disk, CD and USB drives.