Aliases: N/A
Variants: Win32/Pagipef!generic, W32.Pagipef.I!html, Win32/Pagipef.J

Classification: Malware
Category: Computer Virus

Status: Inactive
Spreading: Slow
Geographical info: Some parts of Asia, Europe, North and South America, Africa and Australia
Removal: Easy
Platform: W32
Discovered: 29 Nov 2007
Damage: Medium

Characteristics: A worm that infects executable files and spreads by copying itself to local and removable drives was discovered on November 29, 2007. This worm is W32.Pagipef.I. It affects Windows 98, XP, Me, Vista, NT, Server 2003 and 2000.

More details about W32.Pagipef

To be able to successfully propagate, the worm performs several actions. First, it creates files and system registry subkeys. Then, it deletes three system registry subkeys that are already stored in the local machine. Also, it modifies some system registry entries. Next, the worm begins to spread by producing a copy of itself to local and removable drives from drives C to F using [DRIVELETTER]:\pagefile.pif. When the drive is accessed, the worm creates [DRIVELETTER]:\autorun.inf. Using a script tag that possibly contains malicious code, the worm infects all HTML files stored in RAR archives. The worm has the capability to stop processes that consist of the following strings: asm, ida, softice, ollydbg, metapad, mozillauiwindowclass, ieframe, cabinetwclass and 360. Then, the worm continues to work by contacting a specified web site and attempting to reboot the host computer. Thus, propagation is finished as well as its infectivity to executable files.

The W32.Pagipef.I application is also capable of spreading illicit files to other computers. This may be done through P2P (peer-to-peer) file sharing programs and instant messaging applications. P2P file sharing programs are loaded with illicit files that are disguised under filenames of legitimate programs. This is to avoid being detected as a threat. The program automatically launches on the user’s computer once downloaded. The program may also spread via removable hard drives that are shared among different computers. The W32.Pagipef.I program drops a copy of itself on all the removable hard drives on the computer. The threat may be transmitted when the hard drive is connected to an uninfected machine.