Aliases: Email-Worm.Win32.Ridnu.f, W32/Drowor-A, Virus:Win32/Drowor.B, Worm.Win32.Trafaret.a
Variants: W32.Ridnu.A, W32.Ridnu.C

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: North America, Asia
Removal: Easy
Platform: W32
Discovered: 27 Dec 2006
Damage: Medium

Characteristics: W32.Ridnu.B is a worm that infects Windows systems. It spreads by copying itself to other drives. It creates the file psapi.dll on the infected computer. It also modifies the registry to hide file extensions and system files on the infected computer. It also disables some common monitoring tools

More details about W32.Ridnu.B

When the worm W32.Ridnu.B is executed by a user, it copies itself as the following files: explorer.exe and explorer.scr in drive C. It copies itself as Mr_CoolFace.exe and ameajeve.exe in the System folder, msconfig.exe in the Windows installation folder, etc. It also copies itself in the drives c,d,e,f, and g using various file names. It then creates the file: psapi.dll in the Desktop under the subfolder babel. The worm modifies the registry to hide file extensions on the infected computer. It also modifies registry values to hide system files on the infected computer. It also adds values to the registry to disable some common monitoring tools. Afterwards, the worm creates the mutex named "Mr_CoolFace", so that only one instance of the threat runs on the infected computer.

In addition, the worm searches windows for certain strings in the title and terminates any associated processes. It may display a message box with the title: Mr_CoolFace Mohon Maaf Lahir Dan Batin. It may even open the CD-Rom Tray. As soon as it enters the system, the W32.Ridnu.B application creates a file. It usually places the file in the Windows directory. It may also store other files and components of itself in hidden folders to prevent them from being discovered. It typically adds values to several registry entries to ensure that it is launched each time Windows starts.