W32.Launcer.A


Aliases: N/A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: North America
Removal: Easy
Platform: W32
Discovered: 29 Mar 2008
Damage: Low

Characteristics: W32.Launcer.A is a worm. It spreads through removable drives and displays fake warnings that the Operating System on the infected computer is pirated. It pops up warnings saying “You are using a pirated (illegal) version of Microsoft.”

More details about W32.Launcer.A

When the worm is executed, it creates the files svc.exe and Autorun.inf in the Windows System folder. It also creates the files svc.exe and autorun.inf in all removable drives every five minutes. When there is only one removable drive on the infected computer, the worm will not create a copy of itself in the A drive. When the worm executes, it displays a message saying: “You are using a pirated...” The message asks the user to register a a copy of windows. If the user clicks on “Yes”, Internet Explorer will be executed. Every five minutes, the worm checks for open windows and looks for titles that contain the strings: Winamp, Player, jet, Cyberlink, and VLC. The worm closes any windows that contain these strings. It then displays a message that says: “We are sorry for the inconvenience...”

The application is identified by malware detectors as a network worm. The program propagates itself on connected computers on the network. The W32.Launcer.A application creates replicates and drops them onto unsecured network shares available on the network. The program may overwrite files on the hard disk upon its propagation. The program is often acquired via peer-to-peer (P2P) file sharing networks. It utilizes the file sharing capabilities of P2P applications. The application is often attached to the installation packages of freeware and shareware programs.