W32/Dref-V, WORM_NUWAR.BH, WORM_NUWAR.EE, Win32/Luder.U
Win32/Luder.O, W32/Dref-AA, W32/Tibs, [email protected]
Category: Computer Worm
Active and Spreading
North America, South America, Asia, Europe, Australia
29 Dec 2006
This malware is mass mailing worm that can drop security threats to the already infected computer system. It likewise attempts to drop the Trojan.Peacomm or the Trojan.Galapoper.A malware. The W32.Mixor worm is also capable of terminating processes that it detects as security related.
W32.Mixor Removal Tool
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean W32.Mixor from your computer.
More details about W32.Mixor
Upon execution in the host machine, the W32.Mixor worm will copy itself as four .exe and one .dll file. It will then drop a Trojan in the system and create an XML and CSV file. Next, the worm will create several registry entries that will allow it to start with Windows. It will likewise modify a registry entry to deactivate the Shared Access service and end security associated processes if one of the words in its predetermined list is found in the window’s title. This worm retrieves an encrypted configuration file from a remote server. This configuration file will be used for downloading additional threats and running an array of components from predefined remote locations. The worm the proceeds to obtain email addresses from address book of Windows by scanning a particular file linked to a particular registry subkey.
This malware can also collect email addresses on fixed drives from files with the extensions .TXT, .HTM, HTA and several others. However, it will avoid sending email messages to domains with the strings .gov or .mil. While collecting email addresses, the worm will disregard addresses that have security associated strings, such as those with the name of an antivirus product or Windows security application. The gathered email addresses will be sent by the worm to a remote location. The W32.Mixor worm will also be commanded to send infected emails by using its very own SMTP engine. The address of the infected email will be spoofed and the message body will be left blank. The infected attachment that contains the worm’s code will have a filename related to greeting cards and with the .exe extension.