Aliases: W32/Namshare
Variants: P2P-Worm.Win32.Sharan.c, W32/Namshar, Worm/Sharan.A 

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Slow
Geographical info: N/A
Removal: Hard
Platform: W32
Discovered: 25 Feb 2005
Damage: Low

Characteristics: The W32.Namshare malware is a peer to peer or P2P worm that spreads via file sharing applications like KaZaa and Morpheus. This worm’s infection routine commences by copying its code the P2P applications’ shared folders located on the victim system. One the worm has successfully planted its copy in the shared folder, the P2P network is handled with spreading the worm’s infection to other machines.

More details about W32.Namshare

The W32.Namshare worm will create one copy of itself in the compromised machine in either the .exe, .pif, .cpl or .com file extensions. It will then modify the registry by adding a value to a specific registry subkey so that it is activated once Windows is started. The malware also creates a random service name from a mixture of predetermined strings that are mostly security related. It then creates the ‘SharMan’ mutex to make sure that only a single instance of itself is running on the machine. This security threat will then proceed to copy its code to folders with the ‘share’ string. The extensions that will be used with the worm’s copies will use either .pif, .exe, .cpl, .com, .doc, .txt, .xls, .rtf or .pdf.

For the infection of the W32.Namshare worm to be completely eliminated, users have to search the infected computer system for all the worm’s dropped files and then delete them all. Go to the Windows Task Manager and then try to spot the worm’s running process in the list of active processes and then end it. All the registry entries created by the security threat should also be removed. It is also critical that users make a backup file of the Windows registry before making any alterations on it. To avoid an infection from this worm, disable the file sharing option if not necessary. If however it is really necessary, utilize password protection and ACLs to limit the access on shared files.