W32.Socay.Worm


Aliases: W32/Socay.worm, Win32.HLLW.Yacos.1, W32/Socay-A, Win32/Socay.A, WORM_SOCAY.A,
Variants: W32/Socay.A, I-Worm/Delf.N, Win32.Socay.A@mm, W32/Nallegam.B.worm, NewHeur_PE,

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Hard
Platform: W32
Discovered: 15 Jan 2003
Damage: Medium

Characteristics: The W32.Socay.Worm program is a backdoor Trojan with worm functionality. It tries to send itself to all the contact addresses in the address book of Microsoft Outlook.

More details about W32.Socay.Worm

The W32.Socay.Worm program is a Trojan backdoor that has a functionality of worm. This Trojan tries to spread itself to all the addresses in the address book of Microsoft Outlook. The email characteristics has “Subject: Re:VISA DE TRABAJO” and “Attachment: ”. The Trojan attempts to duplicate itself through drive A as “Visa de Trabajo .exe”. The component of backdoor listens on port 8521 for the detachable connections. When the W32.Socay.Worm is opened, it shows fake error messages. The Trojan duplicates itself to “C:WindowsScanregw.exe” changing the original “Scanregw.exe” file. The Trojan sets itself to execute when you open the Windows, by changing the value “ScanRegistry c:windowsscanregw.exe” in the registry key.

The W32.Socay.Worm tries to duplicate itself as “A:Visa de Trabajo .exe” every several minutes. It listens to port 8520 for guidelines to make a lot of actions, such as “Downloading and uploading files”, “Executing files”, “Deleting files”, “Closing windows”, “Restarting Windows”, “Displaying messages”, “Logging keystrokes”, and “Opening and closing the CD-ROM drive”. The Trojan spreads itself to all the addresses in the Addresses book of Microsoft Outlook. The messages sent during the email have the characteristics such as “Subject: Re:VISA DE TRABAJO”, “Message Body: FIJATE EN LO QUE TE MANDO A VER SI TE GUSTA YACONETMASTER”, and “Attachment: The file name of the attachment varies”.