Aliases: W32/MancSyn-G, Downloader-BBD
Variants: W32/Cheli.worm, Net-Worm.Win32.Agent.d

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 23 Mar 2007
Damage: Medium

Characteristics: The W32.Mancsyn is known for its exploitation of the buffer overrun vulnerability found in the DCOM RPC Interface of the operating system. This vulnerability is used by the Worm to spread its codes to other systems. It has been observed to initiate the downloading of potentially dangerous files into the already compromised machine. This malware will delete some subkeys of the Windows Registry service as well as files that are associated with some security programs.

More details about W32.Mancsyn

This malware will extract dangerous executable files into the directory folder of the operating system. The W32.Mancsyn will also place executable files in the subfolders of the user's profile directory. It will remove from the infected computer system specific executable files that can negatively impact the behavior of certain system monitoring tools and protection algorithms. The W32.Mancsyn attains automatic startup functionality by modifying the contents of the Windows Registry service with the addition of a new key value. The Windows Registry will be inspected by the W32.Mancsyn for the presence of certain key entries that are associated with the Portable Document Format reader application. When found these keys will be deleted by the malware from the system which may lead to a failure to execute.

When the W32.Mancsyn has successfully established itself into the compromised computer system it will proceed by creating mutexes to mark the infected machine. This means that the malware may limit the number of instances of infections that can be executed in one computer system. The W32.Mancsyn will attempt to connect to predetermined websites to be properly configured as well as to download additional files. The websites are presumed to be controlled by the remote attacker. Other Web servers may be contacted by the W32.Mancsyn to download files into the temporary folder of the user's profile directory.