Aliases: Worm_Vodni.A, Email-Worm.Win32.Ainjo.g, W32/[email protected]
Variants: Worm/Indor.A, W32/Indor-A

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Slow
Geographical info: Asia, North America, Europe
Removal: Easy
Platform: W32
Discovered: 16 Sep 2002
Damage: Medium

Characteristics: The W32.Indor malware is a mass mailing worm. This malware utilizes the application Microsoft Outlook for sending itself to all the contacts found in the application’s address book. The infected email’s message, attachment and subject will vary. It can also propagate across networks. This threat is written in the programming language Visual Basic by Microsoft and is packed using Petite.

More details about W32.Indor

Once this security risk executes, it will show a fake message stating that a .zip file is damaged because of a file transfer error. It will then copy itself in the computer several times as .exe files and try to copy itself to floppy disks with .exe and .scr files that are sexily named and with random numbers. The malware will then search every folder and subfolder for files having the extensions exe, lnk, txt, xls, doc, mp3, jpg, mpg, htm, rar, asp, zip and html. When it finds such files, it will copy itself in the same folder using the same name but with the addition of .pif file extension after the original name’s file extension such as xxxx.exe.pif. The W32.Indor worm will likewise add a value to the registry, a section in the Indonesian and English language in the Windows .ini file and a line to the Windows portion of the .ini file. In the event that the Mirc.ini file exists, the malware will overwrite it and send itself to mIRC contacts as a different file.

The payload of the W32.Indor worm includes displaying a message titled ‘Indovirus Network’ on any month’s first day. Next, it will open the system’s default Web browser and connect to the site indovirus.net. It will also kill processes that the worm deems as security related. Likewise, the worm will delete every .ini file located in the Windows folder and will change a value in the Windows registry. To remove its infection, locate all the worm’s dropped files by using the feature ‘Search’ that is available on all Windows platforms. When found, delete all the files and then reboot the system in Safe Mode. Restore all the modifications done by the malware to the registry as well as the modifications done to the System.ini and Win.ini files. Last, replace the .ini files deleted by the worm.