Aliases: I-Worm.Calposa [AVP], WORM_CALPOSA.A [Trend], W32/Calposa.worm [McAfee]
Variants: W32/Poscal.worm

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Slow
Geographical info: Some parts of Asia, Europe, North and South America, Africa and Australia
Removal: Easy
Platform: W32
Discovered: 06 Nov 2002
Damage: Low

Characteristics: W32.Poscal.Worm first appeared on November 6, 2002. This is a worm that tries to propagate by sending itself across KaZaa file sharing networks. It also sends itself to all email addresses in the Microsoft Outlook address book. This worm mostly affects Windows 2000, 95, 98, Me, NT and XP.

More details about W32.Poscal.Worm

The worm performs several actions once W32.Poscal.Worm is executed. First, the worm displays the message that says “…Calposa by Industry @ ANVXgroup…” in a “UH OH WORM!” dialog box. If it is clicked, the worm copies itself as ActiveX.exe, SCR.exe, Mixer.exe, FK_AVs.exe, Explorer.exe, regedit.exe, Telnet.exe and Explorer.exe in drive C under Windows folder. Once the folder Kazaa in My Shared folders under the drive C, if existing, the worm produces more copies of itself as Norton_crack.exe, UT3_full_crack.exe, Windows_Hack.exe and Sims_Patch.exe. Then the System.ini file is overwritten as the code in the worm program indicates that it uses Microsoft Outlook to spread by sending itself to all email addresses in the Microsoft Outlook address book. The email has the subject “Anti-Virus Programs are corrupting your Software!” and FK_AVs.exe as the attachment.

The W32.Poscal.Worm program is capable of downloading different kinds of illicit programs including, adware and spyware programs, dialer applications and other viruses. The additional components are executed on the affected computer without the user’s knowledge. Users may notice new shortcut icons on the desktop. This may have been added together with the downloaded files. The user’s privacy and security are compromised when the computer is infected with threats. Some components may be able to gather information regarding the affected computer such as the OS (operating system), RAM (Random Access Memory), IP (Internet Protocol) address and the user’s PII (Personally Identifiable Information). This information may be sent to third parties. Remote users may take advantage of the information to perform illicit activities.