W32.Snaban


Aliases: N/A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 20 Sep 2007
Damage: Medium

Characteristics: The W32.Snaban program is a worm that multiplies by duplicating itself to network drives and removable drives on the compromised PC. It steals private info by logging keystrokes.

More details about W32.Snaban

The W32.Snaban application is a worm that multiplies by duplicating itself to network drives and removable drives on the compromised PC. It steals private info by logging keystrokes as well. When the worm opens, it duplicates itself to these locations: “%System%\WinRAR.exe”, “%System%\NetODBC.exe”, “%System%\real.exe” and “%System%\Explore.exe”. Then the worm identifies all the folders in network shares and removable drives. After that, the worm duplicates itself to the subfolder of network shares and removable drives as these names: “[ROOT FOLDER]\CONFIG.COM”, “[ROOT FOLDER]\autoexec.bat”, “[ROOT FOLDER]\folder.exe”, “[ROOT FOLDER]\setup.exe”, “[ROOT FOLDER]\Winrar.exe”, “[ROOT FOLDER]\work.rar”, “[ROOT FOLDER]\setup.rar”, and “[ROOT FOLDER]\book.rar”.

The W32.Snaban worm program may edit the configuration settings of the system upon execution in the computer. The program will possibly create a copy of itself in the systems subfolder. This is to hide the files of the application from manual detection of the user. It may encrypt itself in the system registry. This allows the downloader Trojan program to launch every time the computer boots. The W32.Snaban worm application may also cause poor computer performance.