W32.Whacker.A


Aliases: Delf.AOU, TR/Agent.259584.A, W32/NetworkWorm.BPB
Variants: Win32:Delf-EVG, Worm.Win32.YadBlack.a

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: Asia
Removal: Easy
Platform: W32
Discovered: 15 Apr 2007
Damage: Medium

Characteristics: The W32/Whacker.A program is a worm that spreads itself via removable media drives and infects all types of file on the compromised computer. This worm affects windows operating system such as Windows 2000, Windows 98, Windows 95, Windows Me, Windows Server 2003, Windows NT, and Windows XP.

More details about W32.Whacker.A

Once W32.Whacker.A worm is executed, it creates the interview.exe in the system and creates a service named Sysintevet to execute itself each time the Windows starts. This will then result in the creation of inappropriate registry sub key and as well creates BLACK-DAY.exe and autorun.inf hidden files in the root of all mapped hard drives. After that, it replaces all the first file type sized 258,048 bytes in all mapped drives with a copy of itself. The worm is claimed to infect all of these files. It has a .wswhacker string appended to them. W32.Whacker.A adds an i-frame to all files that have asp, htm, aspx, html, php, and jsp extensions.

Upon entering a computer, the W32.Whacker.A software installs itself without the user’s consent. It creates some registry entries on the computer to ensure that it launches at each computer start-up. The application may be installed under a filename of a legitimate Windows application. This software opens a backdoor on the affected computer. Backdoors allow other malware applications to enter the affected computer stealthily. They are also used as a means for a remote user to communicate with the Trojan software on the affected system. Several commands may be sent by the remote user to the application.