W32.Takeobel


Aliases: N/A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 28 Feb 2007
Damage: Low

Characteristics: The W32.Takeobel application replicates itself to network mapped drives. It also attaches an .1n3 extension to any .doc files that it locates on the compromised computer.

More details about W32.Takeobel

Once the worm performs its functions, it replicates itself to several locations. This worm builds registries so it can perform in case the Windows will start. The worm will then adapts a registry entry so that the folder options cannot be modified and the extension files cannot be noticed. Then the worm finds all the folders on drives for the subfolders. In case a folder contains several subfolders, it will then replicates itself as the name of the folder having an extension of .exe and it changes the folder characteristic to hidden. For instance, if the W32.takeobel finds a specific folder, it will copy it with the same name and then add .exe and make it a hidden file. The worm will then finds for all the .doc files and if these files were found, the worm adds and extension of .ln3 to that specific file then make it a hidden file.

It is recommended to remove the infected files on your computer. Once you removed the files that are being detected, restart your computer on a Normal mode and then proceed. After the removal procedure, Caution messages may appear once your computer was restarted from the time when threat may not totally eliminated at the moment. The displayed messages will be similar as the title is the file Path and then the message body is: Windows cannot find [FILE NAME]. Make sure that you typed the name properly, and try again. To look for a file, click Start button, and then press Search button.