Aliases: Win32.HLLP.Riaz, Win32.HLLP.Xenon
Variants: W32.Axon.b

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 08 May 2004
Damage: Low

Characteristics: The W32.Axon worm is a P2P or peer to peer worm. The worm’s main objective is to look for a P2P client installed in a target machine. These P2P clients include Kazaa, iMesh, Wareo and eMule.

More details about W32.Axon

Upon its arrival in the target machine, the W32.Axon worm will check if a P2P client is installed. In the event that a P2P client is detected, the worm will alter the P2P client’s configuration settings. This is done by the worm in order for default shared resources to include the infected file created by the worm. The worm may also connect to a predetermined IRC server so that it can update itself. Once the W32.Axon worm has infected a file, it will then copy itself to the temp directory as C:\ Windows\ Temp\ ZzZ.tmp. The W32.Axon worm is known to propend itself to files that have the EXE extension. The worm is likewise reported to delete files that with the AVI and MP3 extension.

It has been observed that the W32.Axon worm is distributed on P2P file sharing networks by utilizing misleading filenames like keygen.exe. This worm is also known to display a message box containing the vulgar message “but I f**k the RIAA!”. To eliminate the W32.Axon worm, all files associated with it should be removed upon detection. You can go to Windows Task Manager and then view the list of all running processes. Once all malicious files have been detected, terminate them by clicking the "End Process" button. You can also try to determine the malware’s associated files’ exact locations in the hard drive and then delete them. You can then turn on your antivirus program to make sure that the W32.Axon worm and all malicious files associated with it have been completely erased from your drive.