Aliases: W32/Mournor
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active and Spreading
Spreading: Slow
Geographical info: North America, Europe, Asia
Removal: Easy
Platform: W32
Discovered: 28 Oct 2008
Damage: Medium

Characteristics: This security threat is a worm that can propagate through network shares and removable drives. It likewise alters system files and drops more security risks to the already compromised machine. Because of the modified system files and additional malware dropped by the W32.Mournor worm, the system will experience performance instability. This worm also hinders the Windows File Protection feature from restoring a corrupted Windows file.

More details about W32.Mournor

This malware may arrive on a target machine as a file that looks like an icon for an image file. Once run in the infected machine, the worm will copy itself as an executable file with the typical letters or with Chinese characters as its filename. The worm will use the filename with Chinese characters on systems that support multibyte filenames. The W32.Mournor will then copy the original Windows file explorer.exe to another folder and then replace the original Windows file with its duplicate. This action will allow the worm to execute when the Windows Explorer is launched. The worm then proceeds to delete a file related to the original explorer.exe file. Because of the file’s deletion, the Windows File Protection feature is blocked and cannot restore the original explorer.exe file.

The W32.Mournor worm will likewise create an autorun.inf file. This file will permit the worm to execute every time that the drive infected by the file is accessed. It may also drop several files that are considered as non-malicious in the Temp folder. The malware will then create registry entries so that it launches when Windows starts. It is capable of modifying some registry entries to mask its presence in the machine as well. The W32.Mournor worm program opens unutilized Transmission Control Protocol (TCP) ports to communicate with remote servers on the Internet. The application connects to an IRC server to listen form commands from remote users. The program stays resident on the system’s memory. The remote user may transmit instructions to the computer through an IRC channel. These remote commands may include management of files, termination of running processes, modification of system configuration or rebooting the system.