Aliases: W32/Setclo.worm, Win32/VB.IL, Worm.Automat.AHO
Variants: Worm.VB!sd5, Worm.Win32.VB.lt, Generic VB.b

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Hard
Platform: W32
Discovered: 09 Dec 2004
Damage: Medium

Characteristics: W32/Setclo-A is a worm for the Windows OS. W32/Setclo-A will multiply by trying to duplicate itself to drives on the computer and to run network shares.

More details about W32.Setclo

The W32.Setclo spreads by making use of the open shares on the network of your computer system. When the W32.Setclo program is executed, the worm duplicates itself to the drive C: and to the root of any open share as setup.exe. In addition to this, an “autorun.inf” file is also crashed in the root of all the drives planned to execute the setup.exe making use of the Windows automatic run feature. The registry key is made so that it will run after every restart, so that the contamination will increase.

The W32.Setclo program copies itself to the hard disk and modifies the registry to ensure that it loads automatically every time the computer boots up. It then harvests e-mail addresses from the hard disk. It automatically sends itself through e-mail by directly connecting to the recipient's Simple Mail Transfer Protocol (SMTP) server. The W32.Setclo program may exploit the security flaws of the computer. It may particularly disable antivirus and firewall applications. It hides its own processes, files and registry changes using a kernel-mode rootkit. It may also install backdoor applications in the infected computer. These backdoor applications may be used by other worm programs to gain entry in the computer system.