Aliases: W32/Rahiwi.A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: North America
Removal: Easy
Platform: W32
Discovered: 07 May 2007
Damage: Low

Characteristics: W32.Rahiwi.A is a worm. It infects all Windows systems and propagates itself by duplicating itself to the root of all drives in removable, local and network shares. The worm is a slow infector. It does low damage to the infected computer and is easy to remove using an updated antivirus software.

More details about W32.Rahiwi.A

The worm W32.Rahiwi.A infects all Windows systems. It propagates by copying itself to the root of all drives. When executed, the worm creates Data_Rahasia Administrator.exe, Tiwi_Cute.exe, autorun.inf and present.txt in the root of all drives. It also creates the folder C:\Documents and Settings\Administrator\LocalSettings\ApplicationData\WINDOWS if it does not exist. It copies itself as cute.exe, imoet.exe, smss.exe and winlogon.exe in the Windows folder. It also copies itself as smss.exe and winlogon.exe in the Application Data folder; empty.pif in the Startup folder; IExplorer.exe, rpcss.dll, shell.exe and tiwi.scr in the Windows System folder; and tiwi.exe in the Windows folder. The worm alters the registry to ensure its execution every time Windows starts. The worm also modifies the registry to make sure it is executed when .bat, .com, .exe, .inf, .lnk, and .pif files are double-clicked.

The worm W32.Rahiwi.A also swaps the mouse buttons, changes the Internet Explorer home page, search page and the window title. In addition, it changes the screensaver. The W32.Rahiwi.A software can also add unwanted applications to the system. These are downloaded from the server and installed. Their processes may also be added as values to the system registry. Some applications that can be installed this way are adware, spyware, and Trojan programs. They are executed and launched in the background unknown to the user. Users report that infected machines tend to run slower than usual. This is because the additional files and programs use up resources such as disk space and RAM. The Internet connection can also run slower than usual. This is because the W32.Rahiwi.A program uses up the bandwidth.