W32.Renco@mm


Aliases: N/A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: North America
Removal: Easy
Platform: W32
Discovered: 21 Jun 2007
Damage: Low

Characteristics: W32.Renco@mm is a mass-mailing worm that infects Windows systems. It may dial premium-rate numbers from the infected computer. It sends itself to e-mail addresses collected from the Windows Address Book. The worm is a slow infector and causes low damage. It can be removed easily using an updated antivirus program.

More details about W32.Renco@mm

When the worm is executed, it copies itself as the following file: i2.exe. in the System folder under the ShellExt subfolder. It also drops the following files: laura.exe and eml32.dll in the System folder, and tmp_[8 DIGIT RANDOM HEXADECIMAL NUMBER].out and tmp_[8 DIGIT RANDOM HEXADECIMAL NUMBER].js in the Temp folder. These files are deleted by the worm. It attempts to terminate any processes with the following window name:AOL. Next, the worm creates a mutex to prevent multiple instances running. The worm modifies the file rasphone.pbk to create a new modem connection. It then modifies the registry to disable the use of a proxy. The worm may also change the Internet Explorer home page. The worm collects email addresses from the Windows Address Book. It sends itself as a .zip file attachment to these gathered addresses.

Severe level of security risks is normally installed without any user interaction through system flaws that can highly compromise the PC’s and the user’s security. The said risks open illicit network connections, utilizes multiple polymorphic tactics to enable self-mutation, frequent disabling of security software, modification of numerous system files, and the installation of additional malware. These threats collect and diligently transmit PII (Personal Identifiable Information) without any consent and sternly slug down PC performance and machine stability.