W32.Fili.A@mm


Aliases: Bloodhound.Packed, Bloodhound.W32.5, I-Worm.VB.q, WORM_FILI.A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Slow
Geographical info: Some parts of Asia, Europe, North and South America, Africa and Australia
Removal: Easy
Platform: W32
Discovered: 05 Oct 2004
Damage: Medium

Characteristics: On October 5, 2004, a generic Visual Basic worm named as W32.Fili.A@mm was discovered. This worm spreads through Microsoft Outlook and peer-to-peer or P2P file-sharing networks. The worm also spreads through mIRC. It mostly affects Windows Systems like Windows 2000, 95, 98, Me, NT and XP.

More details about W32.Fili.A@mm

This generic Visual Basic worm is installed via open or sharing networks such as mIRC. Therefore, email sending is involved with different subjects and attachment name files with some file extensions. Once the worm is executed, it does several actions. First, it copies itself to the %System%\pilif.exe System folder. Then, the worm adds a value to the System registry key and creates two specific files. The worm finds for shared directories like KaZaa. It replicates itself using different subjects such as Yahoo hacker, Norton 2004 crack, Anti-hacker utility, etc. It also adds another value disabling the task manager. Then, it sends itself as an attachment on emails that will be sent to all contacts in the Microsoft Outlook address book. It searches for mIRC or mIRc32 to send itself through IRC and tries to disable any security-related processes.

The worm will finally run a process and will attempt to shut down the computer. Hence, the W32.Fili.A@mm is successfully propagated. Its spreading might be that easy, but its manual removal is easier. The System Restore must be disabled and the virus definitions should be updated, so check the antivirus you are using. After restarting the computer in safe mode, run a full system scan to delete all files that are detected as W32.Fili.A@mm. Remove the value added by clicking Start and Run. Type regedit and navigate the System keys and entries added then delete the value.