W32.Relfeer


Aliases: N/A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: North America
Removal: Easy
Platform: W32
Discovered: 01 May 2007
Damage: Low

Characteristics: W32.Relfeer is a worm. It spreads through network shares and file-sharing applications. It also attempts to download other malicious files on to the infected computer. It is a slow infector and a low risk worm that can be easily removed using an updated antivirus software.

More details about W32.Relfeer

The worm W32.Relfeer propagates through unsecured network shares and file-sharing applications. When the worm executes, it drops and opens the following file:[WORM FILE NAME].ppt. Afterwards, the worm may create copies of itself with several of the following filenames: reloc32.exe, system32\updates.exe, system32\wandrv.exe, system32\WAN_DR.ULD, svhst32.exe, config_.exe, sysutil.exe, and [WORM FILE NAME].exe. The worm may also copy itself to file-sharing application folders using variable filenames. Next, the worm creates registry entries to make sure that it executes whenever Windows starts. The worm then checks for Internet connection trying to access the following location: www.google.de. The worm may download and execute files via HTTP from predetermined location that include idalpi.freehostia.com and iggywal.bravehost.com.The worm may also download one or more files via FTP from the following hosts: ftp.0catch.com, renaldo241.0catch.com, and ws6.100ws.com.

The W32.Relfeer application may also be used to add unwanted programs to the system. These are downloaded, installed, and executed in the system. Registry entries may also be made to make sure they run at system startup. Data files may also be copied, moved, or deleted. The settings of the system may be changed. Certain features may be disabled to prevent the software from being removed. The running processes of anti-malware applications may be stopped or erased. Access to security websites can also be blocked to prevent security software from updating.