Aliases: Win32.Rever, W32/Forever, PE_REVER.A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Moderate
Geographical info: Some parts of Asia, Europe, North and South America, Africa and Australia
Removal: Easy
Platform: W32
Discovered: 27 Mar 2001
Damage: Low

Characteristics: Also known as Win32.Rever, W32/Forever, and PE_REVER.A, W32.Forever.Worm is a type of worm that was first found on March 27, 2001. This worm has two variants when discovered. It primarily affects Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT and Windows XP.

More details about W32.Forever.Worm

Each variant of W32.Forever.Worm uses its own SMTP engine to be able to propagate itself. This worm infects emails. On the message, it has some particular characteristics: mailed from support@microsoft.com with a subject and an attachment of IE5patch.exe. Once the worm runs, the first variant displays a fake message displayed as “Fatal Error”. Then another variant appears through the form of a message that displays as Win32.Forever. The worm then produces the C:\%system%\Reverof.exe file which is set as hidden, read-only and system. Next, the worm adds a value in the system registry key. When reverof.exe shows a message, the worm modifies one particular system registry key. Lastly, the worm recovers the email account and SMTP server. With the SMTP engine, it sends itself to all email addresses listed on the contact or email address book.

The worm is spread by sending itself to email addresses with the following file extensions through SMTP engine: .exe, .scr, .cpl, .bat, .rar, .arj, .zip, .cab, .htm and .wab. According to reports, the W32.Forever.Worm program infects a computer through security holes in the Web browser and downloads additional third-party software. It tracks activities in the system and in the registry. The pop-up ads that this program generates are programmed to match the browsing behavior of the user. It is claimed that it cannot be detected by firewalls and anti-virus programs because it masks itself as a valid program in the infected system. Once the W32.Forever.Worm program is executed, it is said to drop an embedded file in the User Profile and Documents and Setting folder. It likewise injects a DLL file in the Winlogon process and injects itself into this.