W32.Estrella


Aliases: Backdoor.Trojan
Variants: N/A

Classification: Malware
Category: Trojan Horse

Status: Dormant
Spreading: Slow
Geographical info: Europe, North and South America, and some parts of Asia and Australia
Removal: Easy
Platform: W32
Discovered: 13 Jun 2002
Damage: Low

Characteristics: W32.Estrella is intended to multiply on floppy disks. It periodically copies itself to the floppy. This virus uses filenames that are chosen randomly from its own list. The author of this virus has written this in Microsoft programming language. It also automatically deletes some specific files on December 15th. The author chose to write this virus on Microsoft Visual Basic programming language. This is also known as Backdoor.Trojan when it was updated last June 13, 2002. In addition, it targets all Windows Operating System platforms. Users may also see the file “A:\Estrella.exe” on floppy drives, an indication that the virus is already present in the computer.

More details about W32.Estrella

W32.Estrella also uses a standard Windows folder icon for deception. Another infection routine is through adding values and or files in window system folders and registry files. Users may see files named as “Kernel32.com” “Server.com” and “COMMAND\Scandisk.com.” If these files are opened, the Trojan file name will not be Estrella.exe, Server.com, Kernel32.com, or Scandisk.com, it does not copy itself to any files. Thus, it only adds the values to the registry. The worn continuously finds the windows folders and duplicates itself to spread. It displays the message saying “CyberCerebro Creador De Este Trojan/Virus 1998 – 2002 Alias Kernel As R*c*e*s” in a windows box in full black base. It deletes the following files if they are found: Command.com, Config.sys, Autoexec.bat, Windows\Command\Format.com, Windows\Options\Install\Format.com, Windows\Command.com, Mis Documentos\*.doc, Borlandc\Bin\*.cpp, Borlandc\Bin\*.c, Borlandc\Bgi\*.cpp, Borlandc\Bgi\*.c, Archivos De Programa\Microsoft Visual Studio\Vb98\*.frm, Archivos De Programa\Microsoft Visual Studio\Vb98\Bin\*.cpp, *.doc. Then, it removes all folders and files on drive D. The virus may also sleep for awhile then resumes to search for drive A for the file Estrella.exe and if it’s not found, it copies itself as file Estrella.exe on the floppy disc.

According to security program developers, the W32.Estrella program is a malware program that opens up a specific port on the infected machine. This malware may have the capability to listen for potential commands from remote users logged into an IRC channel to start its attacks on a machine. It was reported that this malware may be acquired by downloading files sent from IRC channels. There is a possibility for this malware to be bundled with a freeware program and installed in a machine when the compromised installation file containing its codes is executed on the computer.