Category: Computer Worm
Asia, North and South America, and some parts of Europe and Australia
25 Mar 2004
W32.Expobot.Worm steals confidential data from the compromised computer. This worm may steal private information on the compromised computer. This information may lead to the hands of the black market. Confidential email messages and or usernames and passwords can also be sold or used in the Internet. It waits for command before this Trojan will spread on the compromised computer’s network shares. It affects all Windows platforms namely, Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003 and Windows XP.
W32.Expobot.Worm Removal Tool
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean W32.Expobot.Worm from your computer.
More details about W32.Expobot.Worm
Once executed, it copies itself as Shell32.dll and ntdll38.dll, browser helper object file, on windows directory folders. Users may also see a mutex described as, “ONLYONETIMEFOREXPLOREPEXEDELL." This mutex guarantees only one copy of this will run in explorer. If this mutex is already running, the Trojan uploads files to the remote server then collects information on each shared resource and its file system, and sends it to the remote server and enumerates all the network resources. This will also search all drives on the local system for files with the following extension: .doc, .txt, .ppt, .xls, .mdb, .zip, .rar, .eml, .njx and .pgp. However, this will not infect a network resource with name “R.” This “R” connotes remote resource.
According to expert users, this malware program may be downloaded from various sources on the Web. It may be acquired by visiting and downloading files and programs from unsolicited sites, specifically freeware programs, infected audio and video files, presentation files, and the like. There is a high probability that malicious programs will modify these files to incorporate the script of this program to be installed automatically when run. The installation of the W32.Expobot.Worm application may incorporate a stealth design. It may first reside in the memory and install its components on the machine's storage area. This malware variant only affects computers running on Windows Operating Systems.