Aliases: Foamer.A, Moaphie.A
Variants: W32/Foamer.A

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Slow
Geographical info: Some parts of Asia, Europe, North and South America, Africa and Australia
Removal: Easy
Platform: W32
Discovered: 19 Oct 2006
Damage: Low

Characteristics: W32.Foamer.A is a worm found on October 19, 2006 that can replicate itself to propagate via mapped drives. This self-replicating worm affects Windows Systems. It arrives either as an attachment to emails serving as spam or as a dropped file from the network.

More details about W32.Foamer.A

This self-replicating worm comes as the svchost.exe and winnt.exe files in the Windows folder as well as an explorer.exe file in the Windows System folder. In the root of all mapped drives, the worm will also copy as the moaphie.exe and autorun.inf files. On a specific location, the worm modifies the system registry to load itself during startup. Upon execution, the worm will replicate itself to three specific files. Then, it creates four system registry entries, changes the Start page. It also disables the registry tools, command prompt, the Run dialog box located on the Start bar, hidden files viewing and task manager. After downloading and executing files from URLs, the worm will open a backdoor on port 1095/TCP. The worm will send an email to prommas_6@sanook.com to provide system information.

The W32.Foamer.A program's main function is to allow third parties remote access. Remote access is the ability of the hacker to control, utilize and influence the victim’s computer system. Upon being compromised by the said threat, the attacker is then enabled to send commands to the machine that has been infected. The commands contain the instructions for performing a number of operations. Incidentally, this program also has the capability of exploiting security vulnerabilities in the codes of a number of applications. Programs that target the mistakes or loopholes in an application’s codes are known as exploits.