W32/Amire-A, W32.Amirecivel.B, W32/Amire-B, W32.Amirecivel.C
Category: Computer Worm
Active & Spreading
Asia, Australia, North America
10 May 2006
Belonging to the family of Peer to Peer malware, the W32.Amirecivel.C program takes advantage of the Kazaa file sharing network to spread its codes.
W32.Amirecivel Removal Tool
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean W32.Amirecivel from your computer.
More details about W32.Amirecivel
Usually, this malware sends a copy of itself to users downloading files from the network by disguising as a legitimate file. It propagates by spreading its codes and depending on where the code is initially downloaded; the malware will use this folder location to extract the sex.pic.bat file. The W32.Amirecivel malware then goes into the System folder of the Windows directory and creates the AVG.exe, spoolsx.exe, winlogon64.exe, servise64.exe, lssass.exe, civil.exe, autocad.exe, project.exe, and AmirCivil.exe files. The Worm then goes into the My Shared Folder of Kazaa in the Program Files directory to drop the project2.exe, no_virus.exe, and CIVIL.exe files. The W32.Amirecivel malware also creates various files in the root directory of the main hard drive and if the logical drives D to M are available, the Worm will also use them as storage locations for its different file strains. The key amircivil is created in the Windows Registry to allow it to load at every reboot or startup instance of the infected computer system.
Some Windows processes that are associated with system security are also terminated by the W32.Amirecivel as part of its routine to prevent its removal from the machine. As an additional precaution, the Worm also modifies contents of the Windows Host file in order to prevent the computer user from accessing websites that are associated to security and malware removal among others. The W32.Amirecivel malware also infects all executable files stored in the original location where it was downloaded. When one of these executable files is launched by the unwary computer user, the Worm will react by immediately initiating shutdown procedures terminating all running processes and causing possible data loss.