W32.Simic.Worm


Aliases: MSN-Worm.Sinmsn.a, W32/Sinis.worm, Win32/HLLW.Sinis.A, WORM_SINIS.A, W32/Sinmsn.A
Variants: I-Worm/Sinis.A, Win32.Worm.Sinmsn.A, W32/Sins, Win32/Simnsn.A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 30 Jul 2003
Damage: Low

Characteristics: The W32.Simic.Worm program is a virus worm that multiplies through the use of MSN Messenger.

More details about W32.Simic.Worm

The W32.Simic.Worm program is a worm virus that multiplies itself through the use of the MSN Messenger. When W32.Simic.Worm runs, it duplicates “Sins.exe” to the default folder of MSN Messenger download. The W32.Simic.Worm program then executes “sins.exe”, which downloads “Vbdlls.exe”, “sin.dll”, and “Msn.exe” files from the “script.mine.nu”. The worm runs “Vbdlls.exe, which installs the Visual Basic run time components on the computer system. The worm opens “Msn.exe”, which verifies whether MSN is running, and if so, would send “Sins.exe” to anyone who sends messages to the infected system.

The malware may only be acquired from MSN messenger. The program will automatically reside in the memory to avoid detection once the attachment is downloaded and executed by the user. Once active for the first time, the malware will patch the explorer.exe program in Windows for its functionality. During the installation, the malware program may be capable of picking out a random INI file and embedding its code on the end-of-file. It will then proceed to integrating it to the Windows Registry to automatically execute during Windows Startup. The W32.Simic.Worm program is a worm that multiplies itself making use of MSN Messenger. When the worm executes, it duplicates “Sins.exe” to the default MSN Instant Messenger download folder. Take note that “Sins.exe” could also have the name “msninst.exe”. W32.Simic.Worm opens “sins.exe” which downloads the “Vbdlls.exe”, “Sin.dll”, and “Msn.exe” files from the “script.mine.nu”. The W32.Simic.Worm opens the “Vbdlls.exe” which sets up the VB Microsoft Outlook run time components on the computer system. The worm also opens “Msn.exe”, which verifies whether MSN messenger is running, and if so, the worm will send “Sins.exe” to anyone who Instant message’s the infected computer system.