Aliases: Worm.Autorun.ADR, Virus.Win32.VB.ki, W32/Vambul-A, W32/Sality-AM, PE_DROWOR.A
Variants: W32/Virut.gen, Win32/ChiHack.6652, Mal/Basine-A, Email-Worm.Win32.Runouce.b, BackDoor-AWQ

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, Australia, North and South America
Removal: Easy
Platform: W32
Discovered: 19 Feb 2008
Damage: Low

Characteristics: The W32.Mikbaland is capable of using removable storage devices as well as shared drives as transport media for the spreading of its codes to other potentially vulnerable computer systems. This threat has been observed to initiate the downloading of more malicious files from predetermined websites and executing them into the host machine. It will attempt to illegally terminate actively running processes associated with security programs and system monitoring tools.

More details about W32.Mikbaland

On initial execution the W32.Mikbaland malware it will create two variants of the on-disk Windows Registry format files in the root directory of the host machine. These HIV format files will be accompanied by an information file which is normally used to allow a specific code to execute automatically. The W32.Mikbaland will place its main executable files in the directory folder of the operating system where it will attempt to mimic legitimate operating system files by using filenames that resemble authentic processes. A copy of the executable file will be placed in the removable storage device and the shared drives of the infected computer system to spread the W32.Mikbaland infection. Accessing these drives automatically executes the infection routine of the malware.

The W32.Mikbaland will attempt to copy a legitimate Dynamic Link Library file to a different file but in the same location as the original. New key values will be entered into the Windows Registry to allow the malware to automatically load at system boot up, to hook specific functionalities of some installed applications, and to hijack certain programs. This will allow the W32.Mikbaland to load itself instead of the requested software application. The W32.Mikbaland will execute a hidden process of the Web browser which will allow it to discretely download dangerous files from websites identified by its malicious author.