Aliases: Worm.Win32.AutoIt.r, W32/YahLover.worm, WORM_AUTORUN.BWK, W32/Yuner-A, Worm:Win32/Yuner.A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active and Spreading
Spreading: Moderate
Geographical info: Europe, US
Removal: Hard
Platform: W32
Discovered: 03 Oct 2007
Damage: Medium

Characteristics: The W32.Badday.A worm is capable of spreading through removable and mapped drives. It can likewise lower the security settings of the machine it has infected.

More details about W32.Badday.A

Once the worm W32.Badday.A is run in the compromised machine, it will create the files taskfile.exe and hostdll.exe in the System folder. It will also create the file scvhost.exe in the folder C:\ Windows\ Media\ Startup and the files HaveaBadDay.sys and spool32.exe in the folder C:\ Windows. The malware will then create the file New_Folder.exe on the drives C to K if these drives are present. It will also create the file autorun.inf so that the worm runs when the drive is used. Likewise it will copy itself in drives C to K using the filenames cool data.exe, NewFolder(4).exe, dataku.exe, data kuliah.exe, NewFolder(5).exe, system.exe or funny doc.exe. The W32.Badday.A worm will then create copies of itself in the CurrentFolder location with the files jangan dihapus .exe, my sweety .exe, foto cewek .exe, kekasishku .exe, data penting .exe, downlodan .exe, update antivir .exe, kumpulan program .exe, movie bkp .exe, nitip .exe and folder option .exe. The worm will then create the registry entries so that it can run when Windows starts and to disable the Windows Registry Editor.

The W32.Badday.A program is also known to search the system for files with the extensions .txt, .doc, .mpg, .wmv, .rar, .jpg and .3gp. It will close all windows with the words hijack, kill, process and reg. It will likewise continuously copy the message “Have a Bad Day” to the clipboard. For the infection of the W32.Badday.A worm to be eliminated, users have to search the system for all the worm’s dropped files and then delete them. All registry entries created by the malware should also be removed. It is important to note that users should create a backup file of the registry before making any alterations to it. Users would also have to restore these registries to their original settings instead of deleting them.