W32.Topion.A


Aliases: N/A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 30 Apr 2005
Damage: Low

Characteristics: The W32.topion.A application replicates itself to network shares. The systems affected include Windows 95, Windows 2000, Windows Me, Windows 98, Windows Server 2003, Windows NT and Windows XP.

More details about W32.Topion.A

The autorun.inf file contains the text open=desktop.ion so that when the drive is mounted the worm will run. The worm replicates the files so it can open the shared networks on a computer that is remote. The files are the .inf and desktop.ion (this is the replicate of the W32.Topion.A). The worm tries to access a Site found on www.windows-up.com domain and then download the file called gphoto.htm. From the time of the file was written it was not available or accessible by the user. To remove it to your system you have to disable first the System Restore, the Windows XP or Windows Me. Virus definitions must be updated. Then run a complete system scan and then delete the all detected files as the W32.Topion.A.

Once the W32.Topion.A was performed it replicates itself to the variables %System%\fixion and %System%\blade having .exe extension and a variable %System%\svchost having .dat extension. These variable refers to the folder of the System. This is C:\Windows\System32 (only Windows XP), C:\Winnt\System32 (Windows NT and Windows 2000) or C:\Windows\System (Windows Me, Windows 98, and Windows 95). The worm creates a subkeys to the registry. Also it creates files in the root folder that can be found on drives C to I. The files are the autorun.inf and desktop.ion (this is the replicate of the W32.Topion.A). It recommended to delete all the added values on the registry.