Aliases: WORM_AUTORUN.BSG [Trend], Win32/Caowy.G [Computer Associates]
Variants: W32/Cowya.a!AC39968F

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Some parts of Asia, Europe, North and South America, Africa and Australia
Removal: Easy
Platform: W32
Discovered: 24 Apr 2008
Damage: Medium

Characteristics: W32.Otwycal.A was found on April 24, 2008. Also known as: WORM_AUTORUN.BSG and Win32/Caowy.G, this worm spreads by producing a copy of itself to fixed and removable drives. Windows 98, 95, XP, Me, Vista, NT, Server 2003 and 2000 are the operating systems this worm mostly affects.

More details about W32.Otwycal.A

When W32.Oywycal.A is executed, it creates a copy of itself as 0x01xx8p.exe in tasks folder under %Windir%. Then, windows.txt in folder %System% and zzz.sys (Hacktool.Rootkit) in drive c: are created. Next, the worm spreads by producing a copy of itself as MSDOS.bat to all fixed and removable drives. And whenever the drive is accessed, autorun.inf is created. Another file is created, sysfile.brk, which is a backup copy of the explorer.exe file and then the worm infects explorer.exe. After that, the worm creates a new service then registers the service in a new system registry subkey. Lastly, the worm downloads instructions from [http://]www.wg581.cn/confi[REMOVED].

The W32.Otwycal.A program’s main process is saved as the executable file explorers.exe. It is placed in the System32 folder of an infected computer. A copy of the file may also be found in the Windows directory. It is registered as a system service by modifying the registry subkey values. This results in the software being launched every time Windows is started.