W32.Safook


Aliases: Generic2.MNB, Trojan-Downloader.Win32.Delf.bbc
Variants: Trojan.Downloader.Small.AIS, Win32:Bifrose-BRC [Trj]

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 06 Nov 2006
Damage: Medium

Characteristics: W32/Safook is a worm that propagates via network shares and by duplicating itself to all .exe files that it finds on the compromised system. It also downloads and executes other threats from the Internet. The worm affects Windows Operating System platforms such as Windows 2000, Windows 98, Windows 95, Windows Me, Windows Server 2003, Windows NT, and Windows XP.

More details about W32.Safook

This application is identified as a network worm. The W32/Safook application searches the network for unsecured folders. It also exploits the vulnerability of network shares protected with weak passwords. A copy of the program is placed on the shared directories within the network. Once the worm executes, it creates winabc3.exe in the Windows installation folder and adds KernelFaultCheck values to the registry sub key in order to execute the worm whenever Windows starts. The worm copies itself to .exe files in all network shares on the compromised computer and downloads a copy of another threat on to the compromised computer. The main distribution channel used by the W32/Safook application is the Internet Relay Chat (IRC) network.

Trojan applications need to be installed manually in the system. Covert means are often used to trick users into granting them access. The W32.Safook program uses corrupted websites to spread. The programming script is posted on malicious or hacked web pages. The source code is hidden with the other codes used to format the page. It is read by web browsers and executed. The software may also be bundled with other files. Users may download installers without knowing they contain hidden components. The malware program is executed when the installer is opened.