WORM_AUTORUN.BSG [Trend], Win32/Caowy.G [Computer Associates]
Category: Computer Worm
Active & Spreading
Some parts of Asia, Europe, North and South America, Africa and Australia
24 Apr 2008
W32.Otwycal.A was found on April 24, 2008. Also known as: WORM_AUTORUN.BSG and Win32/Caowy.G, this worm spreads by producing a copy of itself to fixed and removable drives. Windows 98, 95, XP, Me, Vista, NT, Server 2003 and 2000 are the operating systems this worm mostly affects.
W32.Otwycal.A Removal Tool
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean W32.Otwycal.A from your computer.
More details about W32.Otwycal.A
When W32.Oywycal.A is executed, it creates a copy of itself as 0x01xx8p.exe in tasks folder under %Windir%. Then, windows.txt in folder %System% and zzz.sys (Hacktool.Rootkit) in drive c: are created. Next, the worm spreads by producing a copy of itself as MSDOS.bat to all fixed and removable drives. And whenever the drive is accessed, autorun.inf is created. Another file is created, sysfile.brk, which is a backup copy of the explorer.exe file and then the worm infects explorer.exe. After that, the worm creates a new service then registers the service in a new system registry subkey. Lastly, the worm downloads instructions from [http://]www.wg581.cn/confi[REMOVED].
The W32.Otwycal.A program’s main process is saved as the executable file explorers.exe. It is placed in the System32 folder of an infected computer. A copy of the file may also be found in the Windows directory. It is registered as a system service by modifying the registry subkey values. This results in the software being launched every time Windows is started.