Worm_Vodni.A, Email-Worm.Win32.Ainjo.g, W32/[email protected]
Category: Computer Worm
Asia, North America, Europe
16 Sep 2002
The W32.Indor malware is a mass mailing worm. This malware utilizes the application Microsoft Outlook for sending itself to all the contacts found in the application’s address book. The infected email’s message, attachment and subject will vary. It can also propagate across networks. This threat is written in the programming language Visual Basic by Microsoft and is packed using Petite.
W32.Indor Removal Tool
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean W32.Indor from your computer.
More details about W32.Indor
Once this security risk executes, it will show a fake message stating that a .zip file is damaged because of a file transfer error. It will then copy itself in the computer several times as .exe files and try to copy itself to floppy disks with .exe and .scr files that are sexily named and with random numbers. The malware will then search every folder and subfolder for files having the extensions exe, lnk, txt, xls, doc, mp3, jpg, mpg, htm, rar, asp, zip and html. When it finds such files, it will copy itself in the same folder using the same name but with the addition of .pif file extension after the original name’s file extension such as xxxx.exe.pif. The W32.Indor worm will likewise add a value to the registry, a section in the Indonesian and English language in the Windows .ini file and a line to the Windows portion of the .ini file. In the event that the Mirc.ini file exists, the malware will overwrite it and send itself to mIRC contacts as a different file.
The payload of the W32.Indor worm includes displaying a message titled ‘Indovirus Network’ on any month’s first day. Next, it will open the system’s default Web browser and connect to the site indovirus.net. It will also kill processes that the worm deems as security related. Likewise, the worm will delete every .ini file located in the Windows folder and will change a value in the Windows registry. To remove its infection, locate all the worm’s dropped files by using the feature ‘Search’ that is available on all Windows platforms. When found, delete all the files and then reboot the system in Safe Mode. Restore all the modifications done by the malware to the registry as well as the modifications done to the System.ini and Win.ini files. Last, replace the .ini files deleted by the worm.