Generic BackDoor, WORM_RUNAUT.B, Win-Trojan/Xema.variant
Backdoor.Delf!sd6, Backdoor.Win32.Delf.pes, Mal/Packer, Mal/EncPk-E, Trojan-Dropper.Delf
Category: Computer Worm
Active & Spreading
12 Jun 2007
The W32.Arpiframe Worm is capable of influencing the online behavior of the Web browser by injecting harmful HTML type codes into the current HTTP traffic. This means that an infected computer system is extremely vulnerable once an active connection to the Internet is available.
W32.Arpiframe Removal Tool
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean W32.Arpiframe from your computer.
More details about W32.Arpiframe
An execution of the W32.Arpiframe malware into a vulnerable computer system will result in the dropping of multiple files into the System folder of the Windows directory. The wuclmi.exe (a computer hacking tool), services.exe (copy of the WUCLMI file), wincgf.exe (installer of WinPCap libraries), and capinstall.exe (wincfg.exe file copy) files are commonly associated with an infection from this malware. Running the WinPCap installer in the system background will allow the W32.Arpiframe to create the files NetMonInstaller.exe, daemon_mgm.exe, rpcapd.exe, npf_mgm.exe, Packet.dll, wpcap.dll, pthreadVC.dll, WanPacket.dll, and drivers\ npf.sys under the System folder of the Windows directory. Antivirus developers believe that these extracted files are basically clean but are required for malware payload delivery. Once the installation of all the files has been completed, the malware will delete the capinstall.exe file from its original location. The local subnet addresses are then gathered by the W32.Arpiframe malware to prepare an attack on all network clients where the infected machine belongs to. This is where the WinPCap libraries are used by the malware.
The Worm adds dangerous IFRAME commands into the local HTTP traffic. This will result in other computer systems in the network forced to connect to a predetermined website by redirecting the Internet Explorer browser. The W32.Arpiframe malware will then initiate a forced downloading of a copy of the Worm along with other malicious codes into the compromised machines. The exploits associated with the W32.Arpiframe Worm are believed to exploit ActiveX and Graphics Rendering Engine GDI vulnerabilities of the Microsoft Windows Operating System platform.