Aliases: N/A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Some parts of Asia, Europe, North and South America, Africa and Australia
Removal: Easy
Platform: W32
Discovered: 20 Jul 2007
Damage: Low

Characteristics: W32.Phoney.A first appeared on July 20, 2007. It was discovered and identified both as Trojan and a worm. This worm propagates via mapped drives and lowers security settings in the infected computer. This worm mostly affects Windows 2000, 95, 98, Me, NT, Server 2003 and XP.

More details about W32.Phoney.A

If W32.Phoney.A is executed, the worm/Trojan produces copies of itself as Empty.pif, Autorun.inf, web.exe, winxp.exe and [FOLDER NAME].exe from the Startup, %Windir%, %System% and %CurrentFolder% folders. Then, the worm adds itself as AUTORUN.INF and microsoft.exe to the root of all mapped drives. Afterwards, the worm creates three specific system registry entries to enable the worm to run every time the Windows starts. It also produces other system registry entries that would enable the worm to lower security settings in the computer. This would allow other malicious threats to infect the computer. In addition, the worm creates several system registry entries to modify the default filetype handler for different extensions. Once the worm is installed, the worm has the ability to reboot the computer every half hour from 8:00 AM to 8:30 AM. Moreover, the worm displays a fake Norton AntiVirus erros message stating that the computer is infected with Rontokbro at different times. Random texts in the title of actively running windows will be closed as well as some types of windows.

The W32.Phoney.A software is installed on a computer without the user’s knowledge and consent. It does not display a EULA (End User License Agreement) which should contain the details regarding the installation of the program. The application also does not have an uninstaller that usually comes together with legitimate programs. This makes the application difficult to remove from the user’s computer. This application connects to remote servers to download unwanted files. These additional components increase the system’s vulnerability. They also take up a lot of the computer’s local disk space.