W32.Troresba


Aliases: N/A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 19 Jun 2009
Damage: Low

Characteristics: The W32.Troresba application propagates through network shares and removable drives.

More details about W32.Troresba

The worm deletes entries of the registry so it can disable the access to the drives of the computer. The worm will then replicates itself to all of the removable drives also all of the network shares as a %DriveLetter%\[ORIGINAL THREAT FILE NAME] file having .exe extension. This worm also generates files such as the %SystemDrive%\autorun and %DriveLetter%\autorun having .exe extension so that it will perform each time the drive is right to use. The worm also adds extra user accounts and then tries to increase privileges by inserting itself to the account of the administrator. When inserting removable drive on your computer be sure that you have great antivirus or antispyware software to detect the drive before accessing it. Vulnerable computers are easily be infected by these viruses.

Once the W32.Troseba was executed it looks through the system of the file of the computer that is compromised and then replicates itself to the Program Files for instance is the %ProgramFiles%\Uninstall Information.exe, %ProgramFiles%\Common Files\Microsoft Shared.exe, %ProgramFiles%\Common Files\InstallShield.exe, %ProgramFiles%\ComPlus Applications.exe etc., and even at the system drive as %SystemDrive%\Config.Msi.exe, %System%\CatRoot.exe etc. Then this worm creates the variables %Windir%\Tasks\03.job, %Temp%\~DF48C2.tmp, and %Windir%\Tasks\02.job. The worm create entries of the registry so that everytime the windows starts the worm will run at the same time. The worm also modifies the entries of the registry, the registry keys, and the subkeys of the registry.