Aliases: W32/[email protected], I-Worm.Centar.a, WORM_HORSMAN.A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Some parts of Asia, Europe, North and South America, Africa and Australia
Removal: Easy
Platform: W32
Discovered: 07 Apr 2003
Damage: Medium

Characteristics: Last April 7, 2003, W32.Fourseman.A was found. W32.Fourseman.A is a worm that tries to send itself to all email addresses that can be found in the .htm, .htt, .html and .dbx files. This mass-mailing worm mostly affects several Windows Systems, namely Windows 2000, 95, 98, Me, NT and XP.

More details about W32.Fourseman.A

Since this mass-mailing worm infects email addresses, it is very important to know the characteristics this W32.Fourseman.A is using. The subject on the email is “Very important patch!” and has an attachment that comes in either one of the following: Win_Security_Patch_2602.exe, SProcess.exe or Great_Virus_Creation_Kit.exe. The W32.Fourseman.A also has the ability to remove different security-related software. This worm is installed by copying itself and terminates processes that have the following strings: avp, kav, nav, scan, anti, alert, mon and check. Then, it creates"%Temp%\LogData.vbs" to be able to perform the email routine. Based on the creation of that CBScript, the worm sends itself to its target. The target is all email addresses found in the following extensions: .htm, .html, .htt, and .dbx.

Users may allow the W32.Fourseman.A program to access to the system without knowing it is malicious in nature. It may be received from e-mails or instant messages. The infected file can also be downloaded from websites or peer-to-peer (P2P) file sharing networks. The W32.Fourseman.A application can also enter the system via drive-by-downloads. The application may open an unused system port. This acts as the backdoor. All information that passes through it will bypass installed anti-malware programs. This can be used to connect to remote servers. Files may then be downloaded in the system.