Aliases: Alien.Worm, W32.Alien.Worm, W32.HLLW.Carlotta, Win32.HLLP.Winfig
Variants: W32/Winfig, W32/Winfig.worm, TROJ_WINSOUND

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: South America
Removal: Easy
Platform: W32
Discovered: 04 Sep 2000
Damage: Medium

Characteristics: The W32.Winfig.Gen program comes with a file named either Winfig.exe, Winsound.exe, or Kernelg.exe. It duplicates itself via floppy disks. The virus constantly checks your floppy disk. If the floppy disk is detected by the drive, the virus duplicates itself to the floppy disk. The pay load then deletes Win.com. As a result of all these process, Windows doesn’t function when you re start your computer.

More details about W32.Winfig.Gen

When W32.Winfig.Gen is executed on your system, it duplicates itself to the Windows or Windows System folder as Kernelg.exe or Winfig.exe. It modifies Win.ini file in order for the virus to run whenever windows starts. It then becomes resident in the memory. It remains in memory and constantly checks disk drive A for floppy disks. When a floppy disk is found, the virus duplicates itself to the floppy disk. The virus also checks the date of your system and if the date of the system is after October 1, it executes the pay load. This changes your Windows wallpaper desktop and shows a message. In addition, the virus also creates 316 folders that are empty in the Windows System. These folders are then named as “Melissa & Carlos***” (*** is the number from 0 to 315). Finally, W32.Winfig.Gen modifies Autoexec.bat to show a message while Windows startup and erases Win.com. This results in Windows not to function after restart.

The components of the W32.Winfig.Gen application may be named similarly to those of legitimate system processes. They may also use file names that appear to be related to the operating system. These processes are also added to the startup registry key. The W32.Winfig.Gen program creates a backdoor in the system. This is an unsecure opening. It is used to connect to a remote server. Other malware applications may also use it to access the computer. The backdoor is created by opening an idle system port. It is unmonitored by security programs because it may still be listed as unused.