Aliases:  W32/Nohoper-7397, I-Worm/Nohoper.7397, WORM_NOHOPER.7397, W32/Nohoper.7397@mm, Nohoper.7397 Internet Worm
Variants: Email-Worm.Win32.Nohoper.7397

Classification: Malware
Category: Computer Worm

Status: Dormant
Spreading: Slow
Geographical info: Europe, North and South America, and some parts of Asia and Australia
Removal: Easy
Platform: W32
Discovered: 01 Sep 2002
Damage: Low

Characteristics: W32.Nohoper.7397 is considered as an Internet Worm that may cause data loss or other misbehavior including performance degradation. This is detected as email-Worm.Win32.Nohoper.7397 by some antivirus programs. Reports say that it will infect PE files or Portable Executable files. A good example of a Portable Executable is a screen saver (.scr) file. The virus also contains encryption codes in order for the virus to hide its track and code from several antivirus applications. Once executed, it searches for Kernel32.dll in the memory and it scrutinizes its functions so that in turn, it can also use that function for infection. When it’s successful, it consequently finds the hard drive for executable files or “.exe” files.

More details about W32.Nohoper.7397

It randomly chooses 20 PE files in the windows system directory folder then changes the entry point of the infected file. As such, computer users may notice that the date and time stamp of all infected files are changed to the current system date and time. All platforms of Windows Operating System platforms can be affected by this virus. It also uses emails to collect files of the compromised computer. The worm automatically sends itself to the email addresses it gathers from the files on an infected computer. Mostly, it gets all the contacts from the Microsoft Outlook Address Book. The email message displays on its subject, “Some freeporn.” While on its message says, “Here is the file you asked for...” This also contains an attachment saying, “Freeporn.exe.pif.” It also makes use of the Internet Relay chat site known as mIRC to spread. If mIRC is installed on the infected system, the virus creates Mirc.ini so that the infected C:\Freeporn.exe.pif file is sent to other mIRC users. ifference is that the virus does not re-infect files. But a lot of the important files in the compromised computer are modified and will not usable.

According to some users, the W32.Nohoper.7397 program allows an intruder to remotely control the victim computer through the Internet or Local Area Network (LAN). Once the program has been installed, the intruder can send several damaging and malicious commands. These commands include deletion of files, uploading and downloading of files, and installation of other malicious programs. The intruder could also disable applications such as security programs. The W32.Nohoper.7397 program could perform computer shutdowns and restarts. The affected computer could also be used to participate in attacks on Web servers.