Aliases: W32/Dexec.worm
Variants: N/A

Classification: Malware
Category: Trojan Horse

Status: Active
Spreading: Moderate
Geographical info: Asia, North and South America, Europe and Australia
Removal: Easy
Platform: W32
Discovered: 07 Jan 2003
Damage: High

Characteristics: W32/Dexec.worm is a type of a Trojan Horse which is usually written in the Windows system’s Microsoft Visual Basic programming language. This Trojan disguises as a folder that can be placed in a Windows folder. Once it is clicked, the Trojan begins to infect.

More details about W32.Dexec

This Trojan will use a standard Windows folder to be placed as one of the folders used by the host. But this folder is a fake. The infection will start to spread in the Windows system when it is double-clicked. Once this Trojan starts to infect, it copies Windows files which are the C:\%Windir%\hh.exe is copied as C:\%Windir%\Fonts\h.exe, C:\%Windir%\Notepad.exe is copied as C:\%Windir%\Fonts\Notepa.exe and C:\%Windir%\Scandskw.exe is copied as C:\%Windir%\Fonts\Scandsk.exe. Since the %Windir% is a variable, the C:\Windows or C:\Winnt is the default folders. Afterwards, it replicates itself as C:\%Windir%\hh.exe, C:\%Windir%\Notepad.exe, C:\%Windir%\Scandskw.exe and C:\%Windir%\Fonts\Openfont.exe to locate its points to Hidden. Then, a subfolder will be created in the C:\%Windir%\Temp folder with the use of the Windows Explorer. Next, the virus will add a certain value two registry keys. After adding, the Trojan also deletes the default values then modifies itself into C:\%windir%\Fonts\openfont.exe. Again, it adds another value and creates a subkey. Hence, the Trojan is successfully transferred in the system.

Trojan applications are often disguised as harmless files. This allows users to grant the program access without knowing their malicious intent. They are spread using e-mails, instant messages, peer-to-peer (P2P) file sharing programs, drive-by-downloads and downloader applications. It may also be bundled with other software the user downloads. Trojan software often hides behind a surface process. This process is typically a visual presentation that distracts the user as the malicious files are being unloaded into the system.