Aliases: Worm.Win32.Aler.a, Win32.HLLW.Golten, W32/Mofei-E, Worm:Win32/Golten.A, WORM_GOLTEN.A,
Variants: Worm/Aler.A.5, W32/Aler.A, Worm/Aler.D, Win32.Mofei.E, W32/Aler.A.worm

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Hard
Platform: W32
Discovered: 11 Nov 2004
Damage: Low

Characteristics: The W32.Scard program is a worm with backdoor abilities. It utilizes a NetBIOS attack to propagate to computer systems with fragile passwords.

More details about W32.Scard

When the W32.Scard worm is executes, it creates files such as “%System%\Alerter.exe”, “%System%\spc.exe”, “%System%\comwsock.dll”, “%System%\dmsock.dll”, “%System%\SCardSer.exe”, and “%System%\sptres.dll”. Take note that %System% is a variable that submits to the folder of the system. By default, this is “C:\Winnt\System32 (Windows NT/2000)”, “C:\Windows\System32 (Windows XP)”, or “C:\Windows\System (Windows 95/98/Me)”. The worm attaches the file “sptres.dll” to the process of “Explorer.exe”. This worm scans the computers with fragile passwords and tries to do a NetBIOS attack on them. It also tries to duplicate itself to a computer as “ADMIN$\System32\Alerter.exe” and “ADMIN$\System32\Alerter16.exe”, making use of weak passwords.

The W32.Scard program also creates a registry entry that enables the Trojan to run automatically whenever the user restarts the computer. The program has the capability on its own to recreate, update and repair DLLs, files, processes and registry keys, thus making any attempt to uninstall the program complicated. Security experts consider the W32.Scard malware because of the undesirable effects it can do to the victim computer. The Trojan installs elevated risks without the user’s consent that could lead to the opening of illegal network connections.