Aliases: N/A
Variants: W32.Niuniu.B

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 10 Oct 2007
Damage: Low

Characteristics: W32.Niuniu is a worm that propagates through network share and by contaminating” .html” files. The worm attacks and contaminates the following files: “HTM,” CONN.ASP,” DEFAULT.ASP,” DEFAULT.PHP,” INDEX.ASP” and “INDEX.PHP.” On the other hand, the worm also deletes all GHO files found on the compromised computer. All platforms of Windows Operating System can be affected by this virus. Like other worms, this automatically executes itself on the compromised computer, copying, creating and self duplicating to windows system directory folders. Examples of this are the “crsss.exe,” niu.exe” and “autorun.inf” file. It lessens security settings by disabling security related process. It can spread via removable media drives. It copies by dropping an autorun.inf file in the removable drive location. Registry entries are also modified so that the worm may execute every time the windows starts.

More details about W32.Niuniu

Infected files are usually detected as W32.Niuniu!inf by most antivirus applications. It then opens Internet Explorer to visit remote location, so it can steal private or confidential files or data from the compromised computer. This information may lead to the hands of the black market. Confidential email messages and/or usernames and passwords can also be sold in the Internet. Remote hacking can also be destructive, having the ability to also download malware on a compromised computer.

Computers with the W32.Niuniu program may not easily detect they are already infected because users will not see added applications in the Windows Task Manager or the programs folder. Users who encountered the W32.Niuniu program reported a severe downgrade in the performance of their machine. The Internet connection as well as the network connection of the affected machine is also reported to be congested.