Aliases: Troj/Agent-GXN, Win32:Rootkit-gen, TR/Crypt.XPACK.Gen, P2P-Worm.Win32.Socks.hc, Win32/SillyAutorun.OM
Variants: W32/Autorun.worm.c!3c110a9867e1, Trojan-Downloader.Win32.Obfuscated.agq, W32/Zlob.BWPM, W32/Downldr2.CZTV, Win32/Tnega.CL

Classification: Malware
Category: Computer Worm

Status: Dormant
Spreading: Slow
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 28 Apr 2008
Damage: Medium

Characteristics: This malware can be detected by some antivirus programs as a type of backdoor or downloader malware. The W32.Mandaph has been designed to make use of fixed and mapped drives as transport mechanisms for the implementation of its propagation routine and infect other computer systems. This threat has been observed to open a backdoor component on the compromised machine to allow the entry of more potentially dangerous files which will be executed locally.

More details about W32.Mandaph

On the initial execution of this malware it will attempt to remove from the computer system a specific file that is stored on the root directory of the hard drive. The W32.Mandaph will check for the presence of virtual environments. If either the VirtualPC or the VMWare processes are found in the host machine the malware will not launch. The W32.Mandaph will create a new file on the root directory which will serve as infection marker of the computer system. Executable copies of the malware will be placed in the directory folder of the operating system and the user's profile which serve as past of the main components of the threat. Additionally the W32.Mandaph will drop SYS and DLL format files in the same location.

The W32.Mandaph will modify the Windows Registry keys to be able to automatically load on system boot up as well as to disable other malware strains that may be active in the host system. This malware may also attempt to take control of the spooling process of the machine. A Browser Helper Object will be registered by the W32.Mandaph to negatively impact some of the functions of the Web browser. It uses HTTP to contact malicious websites in an attempt to download additional instructions and execute them. The W32.Mandaph will create additional DAT format files to store its additional data.