Aliases: W32/Narcha-C
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 17 Aug 2006
Damage: Low

Characteristics: W32.Narcha is a self duplicator worm that copies itself to mapped drives and folders that are used by file-sharing applications. File sharing applications may vary from different peer-to-peer programs. The worm generates a program icon similar to the folder icon used by Windows Explorer. When the icon is executed, it opens the "My Documents" folder with Windows Explorer. Furthermore, the worm has the capability to automatically execute and copy itself to windows system directory folders.

More details about W32.Narcha

These files can be seen when the worm is already in your computer: “Backup Folder.exe,”Fine Pictures.exe,”WINFOLDER.exe, “Office Documents.exe.” Private Pictures.exe,”Pictures.exe,”Music Folder.exe,”eBooks.exe,”Shared Network Folder.exe,”My Documents.exe,”Microsoft Common Shared Files.exe,”Funny Jokes.exe,”New Folder.exe,”Text Files.exe,”WinAmp Files.exe,”PowerPoint Documents.exe,”Project Report(s).exe,”Unread Emails.exe,”Picture Collection.exe,”Wallpapers.scr,”Received Pictures.exe,”Downloads.exe,”Briefcase Documets.exe,”Chernobyl April 26.exe,”.exe,”Folder.exe,”Desktop.exe,”Important Letters.exe,”Shortcut to Shared Folder.pif,”Shared Documets.exe,’README.exe,”SubFolders,”My Shared Documents.exe,”Common Files.exe,”Zipped Folder.exe,”Wma Files.exe” and Screensaver Collection.scr.” It may also copy itself to any one folders that may contain the following substrings: ” shared,”document,”folder,”music” and “picture. Primarily, this worm creates files that are garbage because as it multiplies, it takes up space. The space becomes unusable while the memory space is lessened.

Users’ accounts indicate that the W32.Narcha program is malware because of the unauthorized changes and consequences it gives to an infected computer. The program reportedly results in the shutting down of some program after the user opened them. The user may also experience a numerous links that popup whenever the user is on the infected program and these links keep on appearing notwithstanding that the same had been deleted by the user. Furthermore, the W32.Narcha program may be responsible for the unauthorized collection, transmission and sharing of user personal information that could later be used by the hacker for some malicious purposes.