W32.Whybo


Aliases: W32/Whybo.worm
Variants: Win32/Whybo.worm

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia
Removal: Easy
Platform: W32
Discovered: 03 Apr 2007
Damage: Low

Characteristics: The W32.Whybo program is a virus that infects .exe files in Windows Operating System such as Windows 2000, Windows 95, Windows 98, Windows 95, Windows Me, Windows Server 2003, Windows NT, and Windows XP.

More details about W32.Whybo

When W32.Whybo is executed on your system, the virus duplicates itself as svchost.exe, internt.exe and progmon.exe file and sets the attributed files to hidden on system folder. The virus will then duplicate itself to any fixed hard drives from C - Z as setup.exe file. It as well creates AutoRun.inf file in the system drive. Next, it creates svchost.ini file and if the file does not already exist, it sets the file to hidden and system. After that, it creates registry entries in order to run when the Windows starts. W32.Whybo is like to known to create mutex so only 1 instance of virus is running on your compromised PC. After all this process, it downloads a file that contains encrypted data, saves this file to the computer as pagefile.pif then runs it and infects all .exe files it finds. If the virus is the Chinese language version, it tries to close Windows Task Manager.

The W32.Whybo program is often created with a client program. The client application resides on the unauthorized user’s computer. It is used to send commands to the Trojan program. It may also receive information from the infected machine. A backdoor is created to facilitate the connection between the two software. This makes sure the information that passes is not monitored by installed security software.