Aliases: W32.Emiutao.
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 01 Apr 2007
Damage: Medium

Characteristics: A lot of the removable storage devices are platform for a specific virus to spread or propagate. W32/Emiutao infects Windows Operating Systems platforms such as Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003 and Windows XP. This worm primarily attacks removable drives. It uses TCP port 327, allowing the remote attacker to get access to the infected computer. In addition, this worm contains infected files or executable programs “dropped” on the compromised computer. Self duplication is also one of its characteristics.

More details about W32.Emiutao

When installed, this worm is reported to cause the congestion of Internet and network connections since it uses these connections to propagate threats. Some reports indicate that the W32.Emiutao application can allow a remote attacker control over the compromised computer. It can use Internet Relay Chat channels to make this possible. The remote attacker can do virtually anything he wants—it is as if he is actually and physically controlling the infected machine. Hackers may also use the W32.Emiutao program as a receiving port for their commands. They can delete files, modify system settings, stop security applications, control hardware devices, install spying tools, and even shut down the computer through this worm.

This worm duplicates itself as svchost.exe, ime.sys, msvbvm60.dll, mswinsck.ocx, mswsock.dll and ime.exe in the Windows folder. Registry keys are also modified so that the worm will run every time the computer starts. Furthermore, it creates autorun.inf file, thumbs.bat and desctop.ini on the root of all drives while disabling the antivirus program in the computer. It is known that upon spreading itself to the root drives, it also has the capacity to spread malicious files on the infected computer. Removing this virus from your system must be taken seriously for any wrong deletion may result into damaging your computer further. As such, you need to browse for Windows system directories because this worm usually infiltrates these directories. There may also be several copies of this virus in different locations so you've got to remove them as well.