W32.Meetot


Aliases: Trojan.Win32.Delf.gm, Troj/BDDelf-A, Trojan:Win32/Delf
Variants: TROJ_DELF.KO, Generic Delphi, TR/Delf.GM.8

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 28 Jun 2005
Damage: Low

Characteristics: Designed using the Visual Basic programming language, it is compiled as an executable file which requires user intervention to deliver its payload to a target computer system. The W32.Meetot requires access to database files used by the operating system to correctly launch in the host machine. It has been observed by many computer security experts to utilize poorly protected mapped network drives as transport mechanisms for its spreading routine.

More details about W32.Meetot

If an unwary computer user executes the trigger file of the W32.Meetot, it will generate an instance of itself in the directory folder used by the operating system file. The dropped file will have an EXE file extension and will serve as the main executable of this malware. The W32.Meetot will attempt to make a copy of a predetermined MDB format file into the same location where the malware resides. When successful in establishing itself into the target directory folder, the W32.Meetot will cause the operating system to generate an error message. According to some antivirus developers after the message is displayed the host machine will freeze up. The operating system will fail to load and the computer user will be forced to hard boot.

The WORKNOTEL key will be added by the W32.Meetot to the Windows Registry. This new key value is used by the malware to point to the exact location of its main executable file in the hard drive. The RUN instruction is used by the W32.Meetot in the Windows Registry entry to make sure that it will be loaded automatically at every restart or boot up sequence. The W32.Meetot will create the MEETING NOTES folder in all mapped drives defined in the infected machine. This folder will be used by the malware to store its EXE and MDB file components.