Aliases: IRC-Worm.Fagot [Kaspersky], Fagot [F-Secure], IRC.Trojan.Fgt
Variants: W32/Petch.worm!irc, W32/Petch.A, W32.Petch.B

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Slow
Geographical info: Some parts of Asia, Europe, North and South America, Africa and Australia
Removal: Hard
Platform: W32
Discovered: 26 Oct 2003
Damage: High

Characteristics: On October 26, 2003, a worm that disables firewall and security software was discovered. This worm is W32.Petch which is a downloaded file that also removes critical system files and changes the Internet Explorer home page to a pornographic page. The operating systems this worm affects are Windows 2000, 95, 98, Me, NT and XP. This worm is UPX-packed and written in the Delphi programming language.

More details about W32.Petch

W32.Petch performs several actions after it is executed. It copies itself as the following files: C:\Windows\System32\Userinit32.exe, C:\Windows\System32\Dllhost32.exe, C:\Windows\Notepad.exe and C:\Windows\Regedit.exe. These files are hard-coded and they do not depend on system variables. Then, the worm changes the value to "Userinit"="C:\Windows\system32\userinit32.exe" in a certain system registry key. Afterwards, the worm looks for processes as well as programs and disables them. Some system registry keys will be deleted and the Internet Explorer home page will be reset to another home page which contains pornographic material. Furthermore, the worm sets the default user name and the alternate default user name as to a different name. Then, most .exe files from the drive C: will be deleted. The worm doesn’t stop there. It also removes most of the subkey paths from these system registry subkeys: HARDWARE, SECURITY, SOFTWARE, SYSTEM, Software and System. A fake error message appears then the worm runs mIRC to be able to execute a one-line command.

The website that’s responsible for distributing this worm is no longer available. But that doesn’t mean W32.Petch does not exist anymore. Once the worm is executed, the user will no longer be able to start Windows. It makes numerous changes to the system registry and deletes system files. If this happened, replace the deleted files and the Windows registry from a clean backup or reinstall the OS. If the registry has been replaced with a clean copy and missing system files are restored, update the virus definitions. Then, run a full system scan to be able to find all infected files. Remove all the files that are detected as W32.Petch. However, these manual removal steps will only work if W32.Petch has not yet executed. In other words, if the worm has already executed, it will be hard to remove it manually. You only need to have an expert technician to be able to remove this worm once the worm is executed.