W32.Uisgon.A


Aliases: N/A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia
Removal: Easy
Platform: W32
Discovered: 16 May 2007
Damage: Low

Characteristics: The W32.Uisgon.A application is a worm that replicates itself to shares on the network. The infection length ranges from 2,873 bytes to 4,233 bytes.

More details about W32.Uisgon.A

Once the W32.Uisgon.A was executed, it replicates itself the files such as the [DRIVE LETTER]:\[WORM FILENAME].bat, %CurrentFolder%\[CHINESE CHARACTERS]Beta3.exe, %Windir%\[CHINESE CHARACTERS]Beta3.exe, and %Windir%\[WORM FILENAME].[EXTENSION]. The worm then creates file where majority are harmless files like %CurrentFolder%]\uishere-[NUMBER].txt, %CurrentFolder%/sleep.vbe, %Windir%\[WORM FILENAME].vbe, c:\ubye.txt, and %CurrentFolder%/inf.tem. The worms may create files such as c:\8bye.txt, %Windir%\[CHINESE CHARACTERS].bat, %Windir%\[CHINESE CHARACTERS].txt, %CurrentFolder%\s.vbe, %Windir%\uda.exe, %Windir%\bakfiles\[CHINESE CHARACTERS].bat, %Windir%\uda.a, %Windir%\uda-[CHINESE CHARACTERS].bat, %Windir%\Anti-[CHINESE CHARACTERS].bat, %Windir%\bakfiles\uda.a, etc. The worm also deletes the %Windir%\ReadMe.txt file. When removing the virus, first thing is you have to disable the System Restore of your computer, Windows Me or Windows XP. Just turn the System restore off. So it can prevent any programs from changing the System restore. Then the virus definitions must be updated. Run a complete system scan and then delete all of the files that were detected as the W32.Uisgon.A.

Also the worm can generate files that include Chinese character on the variable. It will then overwrite the file Autorun.inf in every network drive that is mapped in any of the Drives. The worm also has the ability to drop some of files on your computer. The worm also creates entry of the registry so in case the Windows starts the worm will also run at the same time. The worm will then tries to contact the directory of the shared networks on the 192.168.2.211 IP address. If the contact was successful, then the execution file will be the \re$\add.bat.