Aliases: Trojan.Win32.KillWin.fk, W32.Dronzho, TR/Spy.65536.I, Mal/Generic-A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Hard
Platform: W32
Discovered: 04 Dec 2007
Damage: Low

Characteristics: W32.Dronzho has been known as a worm actively spreading through removable drives and replacing userinit.exe with a copy of itself. It affects all Windows Operating System platforms. Another characteristic is that it has the ability to record confidential information by logging keystrokes on the compromised computer. This worm affects logging when you restart or start the computer.

More details about W32.Dronzho

W32.Dronzho drops files and components since the worn is a component bundled with other malware packages. This can be obtained from malicious website. Thus, the user should deny all incoming connections and allow only trusted services. Passwords creation is also a key in protecting files and programs from viruses. Auto play facility in your computer should be disabled to further prevent the automatic launching of executable files on network and removable drives. It is also recommended to disconnect the drives when not required. File sharing should also be turned off if it is not needed. Do not always install or turn on computer services that popped up in your screen. These are critical avenues they usually attack. Bluetooth and mobile connection should be turned off as well and not lay it open or turned on even if you are not using it.

This worm sends the information it gathered from the system to a predetermined email address. It attacks all removable drives to ensure its automatic execution every time the accessible drives are accessed. Once executed, the infected computer or the removable drive may have the following files: AutoRun.inf, HELP.EXE, 1.DAT, 2.DAT, 4.DAT, 11.DAT (A Chinese version of notepad.exe) and 12.DAT. These DAT files also create the following files: calc.exe, mspw.dll, c_20718.nls, c_20819.nls, c_20921.nls and c_20996.nls. When the userinit.exe file is already present in your computer, system processes include copies of svchost.exe, userinit.exe and mshelp.dll. In order for the worm to steal information or log keystrokes typed on the compromised computer, it patches itself to explorer.exe file.