Aliases: N/A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 29 Jun 2007
Damage: Medium

Characteristics: The W32.Svich application propagates through Yahoo Messenger and by replicating itself to every drives. It also downloads probably malicious files and degrades the security of the compromised computer.

More details about W32.Svich

Once the W32.Svich was performed, the worm generates files such as the %Windir%\Tasks\At1.job, %Windir%\SSVICHOSST.exe, [DRIVE LETTER]:\SSVICHOSST.exe, %System%\autorun.ini, [DRIVE LETTER]:\New Folder.exe, and %System%\SSVICHOSST.exe. The worm also generates file [DRIVE LETTER]:\autorun.inf so it can perform in case the drive will be accessed. Then the worm will generate entries of the registry so that in case the Windows will start the worm, at the same time, will run. The worm will then change the entries of the registry that are affecting the settings of the security. Also the worm uses the C:\WINDOWS\system32\SSVICHOSST.exe and AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su commands so it can start the threat daily at around 9:00. Then the worm tries to download the configuration files such as the [http://]nhatquanglan4.t35.com/setti[REMOVED], [http://]nhatquanglan3.t35.com/setti[REMOVED], [http://]nhatquanglan4.t35.com/setti[REMOVED], and [http://]nhatquanglan3.t35.com/setti[REMOVED]. The worm can store the configuration files in the %System%\setting.ini location. The file consists of the URL of the files that will be performed and downloaded. The worm tries to download the files daily and then store these files in these locations: %System%\check02.exe, %System%\check03.exe, and %System%\check01.exe.

Then the worm launches the messages to all of the Yahoo! Messenger contact. These messages are the “Vao day nghe bai nay di ban [http://]nhatquanglan1.0catch.com”, “Trang Web nay coi cung hay, vao coi thu di [http://]nhatquanglan1.0catch.com”, “E may, vao day coi co con nho nay ngon lam [http://]nhatquanglan1.0catch.com”, “Tha nguoi dung noi se yeu minh toi mai thoi thi gio day toi se vui hon. Gio nguoi lac loi buoc chan ve noi xa xoi, cay dang chi rieng minh toi... [http://]nhatquanglan1.0catch.com”, “Biet tin gi chua, vao day coi di [http://]nhatquanglan1.0catch.com”, “Tra lai em niem vui khi duoc gan ben em, tra lai em loi yeu thuong em dem, tra lai em niem tin thang nam qua ta dap xay. Gio day chi la nhung ky niem buon... [http://]nhatquanglan1.0catch.com”, “Khoc cho nho thuong voi trong long, khoc cho noi sau nhe nhu khong. Bao nhieu yeu thuong nhung ngay qua da tan theo khoi may bay that xa... [http://]nhatquanglan1.0catch.com”, “Vao day nghe bai nay di ban [http://]nhatquanglan1.0catch.com”, “Loi em noi cho tinh chung ta, nhu doan cuoi trong cuon phim buon. Nguoi da den nhu la giac mo roi ra di cho anh bat ngo... [http://]nhatquanglan1.0catch.com”, “Toi di lang thang lan trong bong toi buot gia, ve dau khi da mat em roi? Ve dau khi bao nhieu mo mong gio da vo tan... Ve dau toi biet di ve dau? " &[http://]nhatquanglan1.0catch.com &"”.