Aliases: W32/Soriw.worm, Backdoor.Trojan, Troj/Sory-A, Win32/HLLW.Soriw.A,
Variants: WORM_SURIW.A, Worm/Soriw.A, W32/Soriw.A.worm, Win32/Soriw.A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 29 Mar 2005
Damage: Medium

Characteristics: The W32.Sory.A application is a worm that multiplies through network shares and gets private information.

More details about W32.Sory.A

When the W32.Sory.A worm is opened, it duplicates itself as “%System%Services.exe”. Take note that, “%System%” is a variable submitted to the System folder. By default this is “C:WinntSystem32 (Windows NT/2000)”, “C:WindowsSystem32 (Windows XP)”, or “:WindowsSystem (Windows 95/98/Me)”. The worm then makes the file “%System%wmksm.msm”. It tries to multiply through the network shares. The worm logs the following info: “Keystrokes”, “E-mail settings”, “Windows registration details”, and “Information about the computer hardware”. It stores the logged info in randomly named documents in the folders “%System%Temp (5035 bytes)”, and “%Windir%Temp”. Take note that “%Windir% is a variable submitted to the folder of Windows installation. By default, this is “C:Winnt” or “C:Windows”. It stores the names of such random files in “%System%wmksm.msm.” removal.

The W32.Sory.A worm has the ability to go through the system of the user and from there, it could steal vital information. It could also infect the system of the user via exploits. From reports, the W32.Sory.A worm has been infecting systems worldwide. It has been working on different Windows platform and uses the Internet Explorer. An example of a huge damage that this W32.Sory.A worm can do is that it could get personal information from the user that would be related to their financial services. It could do a scan on the user's computer and get this kind of information regarding their paying methods and this will be sent to the remote server.