Aliases: N/A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Fast
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 16 Oct 2004
Damage: Medium

Characteristics: W32.Narcs is a worm that propagates through Internet Relay Chat, Imesh and Kazaa file-sharing networks. In doing such, the worm is known for downloading and automatically opening a “W32.Spybot.Worm.” One of its unique abilities is that it removes files and processes as well as increases security outbreak by tweaking the compromised computer’s security settings. It creates these files: “Age of Empires crack.exe,” Age of Empires.exe,” CD Key.exe,” Counter Strike 6.exe,” Counter Strike.exe,” Grand Theft Auto 3 CD2 ISO.exe,” Half-Life.exe,” Hotmail Hack.exe,” Hotmail account cracker.exe,” KeyGen.exe,” Microsoft Office.exe,” Norton Anti Virus 2004.exe,” Norton Anti Virus 2005.exe,” Norton Anti Virus Crack.exe,” Norton Firewall.exe,” Norton Internet Security 2004.exe,” Partition Magic 8.exe,” Playstation 2.exe,” Resident Evil.exe,” Scran.cpl,” Tomb Raider.exe,” Trojan Remover.exe,” Windows XP Home.exe,” Yahoo Hack.exe,” ZoneAlarm Firewall Pro.exe” and “Scran.exe.”

More details about W32.Narcs

It is also called a memory resident worm which is very popular with mIRC and other peer-to-peer (P2P) applications, such as BearShare Kazaa, Kazaa Lite and Kazaa Media Desktop. It also modifies hosts files. Antivirus and security labeled websites will be hampered and even prevented when this worm is already present. Registry keys are also being tweaked and this prevents the computer from doing certain tasks such as, running programs through the Run command, running Registry Editor and Running Task Manager. Other applications or programs may also become inoperable because it has the ability to disable certain actions like closing Internet Explorer windows, file opening, saving, and printing functionalities of Internet Explorer and notifying for new Windows update components and firewall- and antivirus-related events.

It is believed that theW32.Narcs program can perform several malicious actions. These include flooding of mailboxes and the IRC channels, termination of system processes and viewing of computer system information, such as installed software and running applications. Some users have also reported that this malware can execute scripts and programs on the victim computer, upload and download files, search for files on the compromised machine, execute commands on command.com and scan computers with LSASS vulnerability.