Aliases: W32.Ecup!p2p
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 25 May 2006
Damage: Low

Characteristics: W32.Ecup is a worm that propagates through known file-sharing networks. It infects all Windows Operating Systems including Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, and Windows XP platforms. Like other worms, W32.Ecup also duplicates itself through randomly named files. The files usually consists of as, svchost.exe, updated.rar (this include a description of the month or day), updated-fixed.zip(this include a description of the month or day), Setup.exe, Install.exe and _Run_Me_First.exe. The month and day clauses may vary depending on the worm’s input.

More details about W32.Ecup

W32.Ecup also modifies registry keys so that it will run whenever Windows restarts. In addition, it creates its own log.txt file in the active folder of the compromised computer. Thus, it displays a text saying,” PRE-INSTALL v1.07, (C) pUcE Software 2006 Pre-install has checked your config. Everything is ok, you can now run the setup program Enjoy!” If this is already present in your system, then your computer is already infected. The file may be manually removed from the system through different ways. One is through killing the system processes. The other is through deleting registry values and/or .exe files. To kill the processes, you may need to go to Windows Task Manager and click “Processes”. You may also press the following key combination: CTRL+ALT+DEL or CTRL+SHIFT+ESC. Check all the list of files actively running and find all the .exe files. Right click on the file and choose “end process.” A box will appear and you need to choose yes. You may also search for the file. Most parasites attempt to hide their tracks. You have to enable the display of hidden and system protected files. To do this, open Windows Explorer, click on the Tools menu, and select Options. By doing this, you are making the hidden files visible. From the View tab, click on the Advanced Settings list, find the option Show hidden files and folders, and click on it. Then, remove a checkmark next to the line Hide protected Operating System files. By doing this, all infected files and or processes may be seen. Every worm or virus mostly contains programs that may damage your computer. They all have their own files, some of them are patched up and some of them are not.

The W32.Ecup application consists of two major parts namely the server and the client. The client module of the program is controlled by a remote user via Local Area Network or Internet connection. This module contains the main controls used to configure and deploy server modules on the monitored computers. The server component of the application is installed on the user's computer. The server module utilizes Transmission Control Protocol (TCP) port to communicate with the client part of the W32.Ecup program. It is often set to run automatically on the system start-up to avoid detection and removal by the user.