Aliases: W32/Deletemp3.worm, W32/DelMP3-ATrj/Autorun.J, Virus.Win32.AutoRun.ah, Win32/AutoRun.AH, WORM_DELF.HXZ

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Slow
Geographical info: Asia, North and South America, Europe and Australia
Removal: Easy
Platform: W32
Discovered: 30 Jul 2007
Damage: Medium

Characteristics: W32.Deletemusic is a worm written in Borland Delphi. Its payload is to primarily delete any mp3 files that are infected in the computer. Not only that, it will also infect the Windows system.

More details about W32.Deletemusic

W32.Deletemusic is a self-replicating worm that is designed specifically to spread to all drives in the computer. This means that the worm will delete all .mp3 files. It can also make the processor run slowly and the Windows system will be infected. The worm will disguise as a dropped file of a malware or it can be downloaded from the Internet. In the System folder, the worm replicates itself as logon.bat and csrss.exe while in the Windows folder, arena.exe is formed through the propagation of the worm. Then the worm will modify itself in the registry with certain keys. This program also copies csrss.exe and autorun.inf in the executable drives like the floppy disk drive, USB drive and CD drive after the worm creates itself in the removable devices as [DRIVE LETTER]:\csrss.exe and [DRIVE LETTER]:\autorun.inf. After altering the security settings, the worm creates certain entries, and then the worm is ready to delete all .mp3 files on all executable drives.

Another method to propagate the program is through peer-to-peer (P2P) file sharing programs. P2P applications are programs wherein users are able to share different kinds of media files. These media files include images, videos, audio, games and programs. P2P applications make use of a Shared folder accessible to everyone connected to the network. The Shared folder serves as the storage of the downloaded files. The encrypted files are found on this location. Users unknowingly download the program as the components utilize file names that appear as legitimate Windows files. This worm affects computers with running Windows 2000, 95, 98, Me, NT, Server 2003, XP, and Vista.