Aliases: W32/Remadworm
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: North America
Removal: Easy
Platform: W32
Discovered: 26 Mar 2007
Damage: Medium

Characteristics: W32.Remadworm is a worm that infects Windows systems. It may connect the infected computer to malicious websites and open a backdoor. It spreads through removable media drives. It is a slow infector and may cause medium damage to an infected computer. The worm is easy to remove.

More details about W32.Remadworm

The worm W32.Remadworm spreads using removable media drives. When the worm is executed, it creates the following files: driver.exe and wuaucll.exe in drive C, DRIVER.EXE and autorun.inf in drives D, E, and F. The worm then modifies the registry so that it is executed every time a file with a .exe extension is executed. The worm also modifies the registry so that it is executed every time Windows starts. It also creates a hidden window with the following class name and title: #QQ0210. It will close every Chinese version of the Registry Editor that it finds running. The worm ends the following security-related services: rsravmon and alg. Using Internet Explorer, the worm periodically connects to the following URL and checks the title of the page: mmm.021mm8.com/pop/api.asp.

When the title of the page contains a Chinese version of "Server not found", it will do nothing. If it contains "beginop", it will load it using Internet Explorer as if it were a URL. If it contains "beginpd", it may listen on TCP port 14012 and may send some sensitive information. A system infected by the W32.Remadworm that is connected through a single network may easily transmit threats to other computer. Instant messaging programs may also be a means of propagation. Sending and receiving files through instant messaging programs transmit threats to other computers. This happens when the computer is not protected by a security program or a firewall. The W32.Remadworm program may be difficult to remove from the affected computer. This is because it terminated the processes that are associated with security programs.