Aliases: Win32.Arnger.A, Win32/Arnger.Worm
Variants: W32/Fiancee.worm, Win32.HLLW.Arnger

Classification: Malware
Category: Trojan Horse

Status: Dormant
Spreading: Fast
Geographical info: North and South America, Asia, Australia
Removal: Easy
Platform: W32
Discovered: 24 Sep 2003
Damage: Medium

Characteristics: This malware is classified as dormant primarily because its main method of propagation is the floppy disk which is no longer used in majority of systems. The W32.Arnger program is responsible for placing a copy of itself onto the floppy disk and automatically delivering its payload when the drive is accessed.

More details about W32.Arnger

This Worm makes use of the UPX packing method and is spread to other computer systems by using the floppy disk as its main transport media. When launched in a vulnerable computer system, the Win32.Arnger malware will attempt to overwrite the contents of executable files rendering them unusable. In some instances, this malware may opt to create a copy of itself using either a COM or EXE file extension. Based on accounts of previous infections from the Win32.Arnger malware, some of the filenames commonly associated with it include systmger.exe, calc.exe, syscalc.com, notepad.exe, syspad.com, and sysctrl.com among others. These files are only created by the malware if they do not exist in the host computer system. If they do exist however, the existing file will be overwritten with the codes of the malware. Consistent with most Worm variants, this malware can spread quite fast provided that the computer system still makes use of floppy disks. The Win32.Arnger malware normally places a copy of itself onto the floppy disk using the Modelos_AQP.exe, Fotos2002.exe, la_Novia.exe, Pitufoso.exe, and Natalia_Oreiro.exe filenames among others.

According to antivirus developers, no other transport mechanism has been identified with this particular threat. The malware will automatically deliver its payload to the computer system once the infected floppy disk is accessed by the unsuspecting computer user. The comments "$ARCANGEL 2002..AREQUIPA - PERU" have been found in the codes of this malware and are normally displayed on the screen of the computer user once the machine has been infected.