Aliases: W32/Iteb.A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active and Spreading
Spreading: Slow
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 11 Jan 2007
Damage: Low

Characteristics: The W32.Iteb.A worm’s main characteristic is its ability to copy itself to fixed locations on the C – G drives if available on the compromised machine. It can also scan mapped drives to search for JPEG files and copy itself to locations that have the (JPEG FILENAME ROOT).exe. This worm can likewise open a backdoor in the infected machine that will be used by the worm’s author to install more threats to the system or update or delete the worm.

More details about W32.Iteb.A

When the worm W32.Iteb.A is run in the computer system, it will copy itself as files with the EXE file extension to the C, E, F and D drives considering that the said drives exists and that the drive letters are mapped. It will then go on to scan the mapped drives and all its subfolders for files having the .JPG file extension and copy itself to the same location as the .JPG file it has found. Next, it will try to pass off copies of itself by adding the string ‘aris’ to some applications’ legitimate files such as mspaint.exe to mspaintAris.exe. In the event that all the source files are present in the system, the malware will try to overwrite it with copies of itself. The worm can also cause the operating system to inadvertently copy a backup of the worm to some EXE and TMP files.

This worm is also capable of displaying dialog boxes with the title ‘sirA’ and the containing message ‘I hate Beti’ or ‘Are You Hate Beti too’. It can also end its own process if the user responds to the dialog box. Removing the W32.Iteb.A’s infection requires the termination of its active process. To do this, simply go to the Windows Task Manager and then end the process. Next, click the Start and the Search button. Click the ‘All files and folders’ option and type in the worm’s name in the box ‘All or part of the filename’. Click the system’s hard disk drive in the box ‘Look In’ and then ‘Search’. Once all the malware’s dropped files have been found, delete them all.