W32.Posse


Aliases: W32/Posse Worm
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Some parts of Asia, Europe, North and South America, Africa and Australia
Removal: Easy
Platform: W32
Discovered: 21 May 2007
Damage: Low

Characteristics: W32.Posse first appeared on May 21, 2007. This worm propagates via MSN messenger then attempts to download other files that contain malicious threats. Windows 2000, 95, 98, Me, NT, Server 2003 and XP are the operating systems mostly affects by this worm.

More details about W32.Posse

Once the worm is executed, it creates sp2.exe in the %System% folder. Then, it creates and modifies certain system registry entries. After which, the worm connects itself to [http://]usuarios.lycos.es/sharkito32/serve[REMOVED] that would enable to download a possible malicious file. The downloaded file will be saved as server.exe in drive C. The worm downloads another file which is fotos_posse.zip from [http://]usuarios.lycos.es/sharkito32/fotos_p[REMOVED]. Next, the worm sends itself using MSN messenger to all online users listed on the contact list. It sends fotos_posse.zip file which contains the copy of the worm.

The malware program unloads its files in the system. These are often saved using unexpected file names. The components can mimic the names of legitimate processes. A random sequence of characters can also be used. This prevents the software from being discovered and removed. The files used by the malicious software are commonly located in the Windows directory or the System or System32 folder. Other copies of the Trojan application may also be placed in other locations. This makes it possible for the W32.Posse program to run even if some of its files are erased.