W32.Browaf
Aliases: Backdoor.Win32.VB.ama (Kaspersky), Troj/Bckdr-DH (Sophos), W32/VB.AMA!tr.bdr (Fortinet), Win32/Browaf.A (CA), Win32/Browaf.A (Symantec), WORM_BROWSAFE.A (Trend Micro)
Variants: N/A
Classification: Malware
Category: Computer Worm
Status: active & spreading
Spreading: moderate
Geographical info: Europe, North and South America, and some parts of Asia and Australia
Removal: hard
Platform: W32
Discovered: 22 May 2006
Damage: Low
Characteristics: The W32/Browaf.worm program aims to spread via Yahoo Messenger and IRC by spamming messages containing a link to the worm.
W32.Browaf Removal Tool
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
RECOMMENDED:
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean W32.Browaf from your computer.
More details about W32.Browaf
The W32/Browaf.worm program has the facility to install its own Web browser and change your Internet Explorer settings. If it accomplished to change your Internet Explorer setting, it may also play a randomly booming music that loops in the background. Mirc chat sites should not be always trusted if you’re using one. There are a lot of virus and underground worms circulating in the site alone. Once executed, the worm displays this message: “Please wait….” Then, a message box will appear saying: “Download OK, Download is complete.” If this message box appears, the worm creates files such as,”C:\TEMP\icon.ico,” “C:\TEMP\msinet.exe,”C:\TEMP\Browser.exe,”C:\TEMP\ftpbrowser.exe,”C:\TEMP\Startup.exe,”C:\TEMP\Sys.dll,”C:\YSND\Ysnd.exe ,”%Userprofile%\Start Menu\Internet Browser.lnk”, and “%Userprofile%\Start Menu\Programs\Startup\YMSND.lnk.”
Consequently, it also adds certain registries in your system folder files and automatically starts itself when Windows starts. It also installs its own Web browser and connects to these URLs from different websites: http://laman[Removed]/command.txt and “http://laman[Removed]/install/index.php. Furthermore, you may see these subjects may appear in Yahoo Messenger message: “New yahoobrowser http://laman[Removed]/voice,”Sss.. !!!.. :D http://www.laman[Removed]/voice,”Where Is k_m_b_g E_s_m ??? :o http://www.laman[Removed]/voice” and “Who Am I ? !!!.. He he he... Http://www.laman[Removed]/voice.”