Aliases: Dropper.Agent.htr, W32/Vibmaru, Worm.W32/Vibmaru
Variants: Trojan.Crypt.Xpack.AMW. Worm.W32.Vibmaru

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 13 Mar 2007
Damage: Low

Characteristics: The W32.Vibmaru application is a worm that infects all Windows systems through network shares. This program copies itself as .exe in Windows Folder and Windows system folder where in it modifies registry to run automatic execution in every system start up.

More details about W32.Vibmaru

W32.Vibmaru affects Windows 2000, Windows 98, Windows 95, Windows Me, Windows Server 2003, Windows NT, and Windows XP systems. Once the W32.Vibmaru is executed, it copies itself as System32.exe in Windows Folder and msrundll.exe and System.exe in the Windows System folder. It then creates and modifies registry entry so that it runs every time Windows starts. This is executed every time the files with .txt or .ini file extensions are opened. This will then change the clock time based on “Greenwich Mean Time”. When the worm is not removed, the worm will constantly replicate to other computers through network shares. This infection will be removed by running a full system scan and deleting the infected files detected.

The W32.Vibmaru program can record the user’s activities. This can be done by logging keystrokes or capturing screenshots and mouse clicks. The files stored in the system may also be stolen or deleted. The settings may be changed to disable security features. The CD drives may open and close suddenly. Additional malware applications can be downloaded to the system by the W32.Vibmaru software. These are then installed and added to the system registry. This makes sure they have access to computer resources. The programs are then launched and run in the background.