Aliases: N/A
Variants: W97M.Astia.W W97M

Classification: Malware
Category: Computer Worm

Status: Dormant
Spreading: Moderate
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 25 Mar 2004
Damage: Medium

Characteristics: W32.Expobot.Worm steals confidential data from the compromised computer. This worm may steal private information on the compromised computer. This information may lead to the hands of the black market. Confidential email messages and or usernames and passwords can also be sold or used in the Internet. It waits for command before this Trojan will spread on the compromised computer’s network shares. It affects all Windows platforms namely, Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003 and Windows XP.

More details about W32.Expobot.Worm

Once executed, it copies itself as Shell32.dll and ntdll38.dll, browser helper object file, on windows directory folders. Users may also see a mutex described as, “ONLYONETIMEFOREXPLOREPEXEDELL." This mutex guarantees only one copy of this will run in explorer. If this mutex is already running, the Trojan uploads files to the remote server then collects information on each shared resource and its file system, and sends it to the remote server and enumerates all the network resources. This will also search all drives on the local system for files with the following extension: .doc, .txt, .ppt, .xls, .mdb, .zip, .rar, .eml, .njx and .pgp. However, this will not infect a network resource with name “R.” This “R” connotes remote resource.

According to expert users, this malware program may be downloaded from various sources on the Web. It may be acquired by visiting and downloading files and programs from unsolicited sites, specifically freeware programs, infected audio and video files, presentation files, and the like. There is a high probability that malicious programs will modify these files to incorporate the script of this program to be installed automatically when run. The installation of the W32.Expobot.Worm application may incorporate a stealth design. It may first reside in the memory and install its components on the machine's storage area. This malware variant only affects computers running on Windows Operating Systems.