Aliases: W32/Amire-A, W32.Amirecivel.B, W32/Amire-B, W32.Amirecivel.C
Variants: W32/Amirecivel.H, QHosts.a.gen

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: Asia, Australia, North America
Removal: Easy
Platform: W32
Discovered: 10 May 2006
Damage: Medium

Characteristics: Belonging to the family of Peer to Peer malware, the W32.Amirecivel.C program takes advantage of the Kazaa file sharing network to spread its codes.

More details about W32.Amirecivel

Usually, this malware sends a copy of itself to users downloading files from the network by disguising as a legitimate file. It propagates by spreading its codes and depending on where the code is initially downloaded; the malware will use this folder location to extract the sex.pic.bat file. The W32.Amirecivel malware then goes into the System folder of the Windows directory and creates the AVG.exe, spoolsx.exe, winlogon64.exe, servise64.exe, lssass.exe, civil.exe, autocad.exe, project.exe, and AmirCivil.exe files. The Worm then goes into the My Shared Folder of Kazaa in the Program Files directory to drop the project2.exe, no_virus.exe, and CIVIL.exe files. The W32.Amirecivel malware also creates various files in the root directory of the main hard drive and if the logical drives D to M are available, the Worm will also use them as storage locations for its different file strains. The key amircivil is created in the Windows Registry to allow it to load at every reboot or startup instance of the infected computer system.

Some Windows processes that are associated with system security are also terminated by the W32.Amirecivel as part of its routine to prevent its removal from the machine. As an additional precaution, the Worm also modifies contents of the Windows Host file in order to prevent the computer user from accessing websites that are associated to security and malware removal among others. The W32.Amirecivel malware also infects all executable files stored in the original location where it was downloaded. When one of these executable files is launched by the unwary computer user, the Worm will react by immediately initiating shutdown procedures terminating all running processes and causing possible data loss.