Win32.Rever, W32/Forever, PE_REVER.A
Category: Computer Worm
Some parts of Asia, Europe, North and South America, Africa and Australia
27 Mar 2001
Also known as Win32.Rever, W32/Forever, and PE_REVER.A, W32.Forever.Worm is a type of worm that was first found on March 27, 2001. This worm has two variants when discovered. It primarily affects Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT and Windows XP.
W32.Forever.Worm Removal Tool
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean W32.Forever.Worm from your computer.
More details about W32.Forever.Worm
Each variant of W32.Forever.Worm uses its own SMTP engine to be able to propagate itself. This worm infects emails. On the message, it has some particular characteristics: mailed from [email protected]
with a subject and an attachment of IE5patch.exe. Once the worm runs, the first variant displays a fake message displayed as “Fatal Error”. Then another variant appears through the form of a message that displays as Win32.Forever. The worm then produces the C:\%system%\Reverof.exe file which is set as hidden, read-only and system. Next, the worm adds a value in the system registry key. When reverof.exe shows a message, the worm modifies one particular system registry key. Lastly, the worm recovers the email account and SMTP server. With the SMTP engine, it sends itself to all email addresses listed on the contact or email address book.
The worm is spread by sending itself to email addresses with the following file extensions through SMTP engine: .exe, .scr, .cpl, .bat, .rar, .arj, .zip, .cab, .htm and .wab. According to reports, the W32.Forever.Worm program infects a computer through security holes in the Web browser and downloads additional third-party software. It tracks activities in the system and in the registry. The pop-up ads that this program generates are programmed to match the browsing behavior of the user. It is claimed that it cannot be detected by firewalls and anti-virus programs because it masks itself as a valid program in the infected system. Once the W32.Forever.Worm program is executed, it is said to drop an embedded file in the User Profile and Documents and Setting folder. It likewise injects a DLL file in the Winlogon process and injects itself into this.