W32.Sibaru.A


Aliases: N/A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 24 May 2007
Damage: Low

Characteristics: W32.Sibaru.A is a worm that spreads to hardcoded drive letters and network resources.

More details about W32.Sibaru.A

When W32.Sibaru.A opens, it duplicates itself as “%Windir%\Soccer Mania.exe”, “%Windir%\system\SysDriver.sys”, “%Windir%\system\SVCHOST.EXE”, “%System%\SysDriver.sys”, and “%System%\SVCHOST.EXE”. Then, it adds the registry key so that the worm opens each time your windows opens. It also removes “%System%\riyani_jangkaru.exe” and “C:\riyani_jangkaru.exe” files, if they exist in your computer. The W32.Sibaru.A may end the process with the window filename “Shell_TrayWnd”. It can duplicate itself as “%Windir%\Master Game Soccer\Soccer Mania.exe”. The W32.Sibaru.A can make the “%Windir%\MMaster Game Soccer\folder.htt” file. It may also make “%Windir%\desktop.ini” that has “[.ShellClassInfo]”, “ConfirmFileOp = 0”, “[{5984FFE0-28D4-11CF-AE66-08002B2E1262}]”, “PersistMoniker=file://Master Game Soccer\Folder.htt”, and “[ExtShellFolderViews]”. Then, the worm tries to duplicate itself to all the drives as “%Windir%\Soccer Mania.exe”. The W32.Sibaru.A program enumerates the network files to contaminate shared systems. If any are found, it duplicates itself as “%Windir%\Soccer Mania.exe”.

The W32.Sibaru.A program may make some computer modifications after successful intrusion of the user’s computer. It creates a copy of itself in the computer’s hard disk. This copy will be renamed notepad.exe. It also adds new registry values in the system start-up directory to allow the program to initiate at every system boot. The computer worm also launches the iexplore.exe process and svchost.exe. The application will try connecting to a remote server to start download. The W32.Sibaru.A program displays different kinds of messages on the system time. For instance, at 5:00 of each Monday, the worm displays: Title “For Virus Maker”, Text “Eh Semua virus maker. Kalian tuch bisanya Cuma buat Virus yang membahayakan Computer. Cobe, kalo kalian bias buat Virus yang bias membangkitkan jiwa penggemar Bola!!, kayak Gua nech buat VIRUS GILA BOLA!” or Title “For all Computer Users”, Text “ Biar semua orang tau kalo virus bukan saja bias membahayakan computer, tapi bias member semangat pengemar Sepak bola Dunia looo! Ingat itu baik-baik!