Aliases: N/A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 28 May 2007
Damage: Low

Characteristics: Self duplication is the primary infection routine of this worm. It copies through spreading root of all drives, including removable and shared drives. The files being copied: are “RavMon.exe,” svchost.exe” and “Autorun.inf.” The worm then spreads by copying itself with the hidden and system attributes.

More details about W32.Nomvar

The space becomes unusable when the memory space is lessened. It also changes the boot sector could result in the inability of the computer to run. It attacks all Windows Operating Systems. W32.Nomvar also has remote capabilities which allows it to download potentially malicious files to the compromised computer. This backdoor capability allows this virus to steal private or confidential files or data from the compromised computer. The worm tries to hack on these websites http://www.chacent.cn/updREMOVED and “http://www.chacent.cn/downREMOVED.”

It is believed that the W32.Nomvar application is installed through the exploit of vulnerabilities in the code of other programs. It could also target a programming loophole in other programs. It could possibly spread through spammed e-mails. Other possible distribution channels for the W32.Nomvar program include Internet Relay Chat (IRC), newsgroup postings and peer-to-peer networks. The backdoor Trojan could be associated with the huai.exe file name. The huai.exe process contains user mode rootkit functionality. It could hide from the running process list and it could hijack another process’ virtual memory.