Aliases: W32/Evol, I-Worm/Evol, WORM_EVOL, W32/[email protected], Evol Internet Worm
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Dormant
Spreading: Slow
Geographical info: Europe, North and South America, and some parts of Asia and Australia
Removal: Easy
Platform: W32
Discovered: 13 Feb 2000
Damage: Medium

Characteristics: W32.Evol is classified as one of the most damaging worms that may cause system crashes or data loss including performance degradation. This single code worm spreads through self duplication on all windows 9x, Windows 2000 as well as Windows NT Operating System platforms. This worm is the only one that uses metamorphic engine written in a 32-bit virus. Bugs from this virus are not fatal enough even though it is replicating. Since this is metamorphic, it can regenerate itself into new form. The codes changes intermittently, leaving no traces and would be very hard to find. Even several antivirus programs had a hard time detecting the virus.W32.Evol does not generate new infections quickly. This worm also attacks GUI applications but has limitation to “.dll” and or “.exe” file with exports.

More details about W32.Evol

Before infecting, the virus checks every code of a specific file to see space for its mutated body. As such, small files are not infected. The virus becomes anti heuristic because the infection method is unusual. The virus saves the entry-point code of the file to the end of the PE image and writes its body into the first section. It also monitors and records a log of the physical entry-point of PE files it infects. When it is successful in its entry point on the GUI PE files, it will search for executables on local drives and on the network.

There is a possibility that the W32.Evol program is being used by hackers and malicious programs to initiate an attack on the infected machine. Experts speculate that this malware may be distributed as a server or a client -- where one has the potential to synchronize with the other. It was claimed that the server variant of the program is installed in the target machine and the client version of the malware is utilized by the remote user as a means to access its counterpart to initiate an attack. The attack patterns may include Denial of Service, identity theft, malware propagation, and so on.