W32.Windang.A


Aliases: Generic.OKL, Trojan.VB.hk, Trojan.Win32.VB.jb, W32/Agent.MPY
Variants: W32/Alcop, W32/Alcop-B, Win32/Alcaul.AX, Win32:Alcopaul-E, Worm:Win32/Windang.B

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 07 Dec 2006
Damage: Low

Characteristics: The W32.Windang.A program is a worm that duplicates itself through removable media such as floppy disks. The worm affects Windows Operating System such as Windows 2000, Windows 98, Windows 95, Windows NT, Windows Me, Windows XP, and Windows Server 2003.

More details about W32.Windang.A

W32.Windang.A is a local floppy hopper worm. This worm is written in Visual Basic and its icon is copied from Microsoft Word. The purpose of the virus being copied as the same with the Microsoft Word extension is for the user not to detect that the file is a worm. Once W32.Windang.A is executed, it drops a file extension .doc and executes Microsoft Winword to show it and eliminate itself. This dropped file has similar name as the original worm with a file extension name .doc, it is 27,136 bytes long and include text in Spanish language starting with "Wide World Importers presents...” The worm as well drops a file named LSASS.EXE in the windows directory which monitors access to drive A. When a floppy disk that has no write protection is inserted to your system, the worm duplicates itself in it. The worm is also claimed to sometimes drop an html file which contains a warning Spanish message to the user. This message file contains the string "Grupo GeDZac.” W32.Windang.A also copies itself in the registry so that it would be loaded again when the windows start.

The W32.Windang.A application creates a backdoor on the computer. It then waits for commands coming from the remote user through an open port. Some of these commands include deleting of files, uploading and downloading data, use webcam to record activities on the computer and removing important files from the computer. All these activities are done in stealth mode. The computer may slow down due to the remote user’s actions on the affected system. This application enters the computer through security exploits and program vulnerabilities. The W32.Windang.A program may get in the user’s system when an unsecure website is visited by the user. It is installed on the user’s computer stealthily. It does not get the user’s consent upon installation.