Aliases: N/A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Some parts of Asia, Europe, North and South America, Africa and Australia
Removal: Easy
Platform: W32
Discovered: 06 Oct 2008
Damage: Medium

Characteristics: W32.Poskiwing was discovered on October 6, 2008. This worm propagates by producing a copy of itself to removable and network drives. This worm also infects some files and opens a back door in the computer. The operating systems this worm mostly affects are Windows 98, 95, XP, Me, Vista, NT, Server 2003 and 2000.

More details about W32.Poskiwing

When W32.Poskiwing is executed, the worm shows a message in a dialog box that says “Error reading setup initialization file. If the message is clicked, the worm begins to copy itself as popk.exe and Shell.pci in the %System% folder. Then, the worm connects to [http://]skr.8800.org/skr[REMOVED] to receive commands from the attacker. From this URL, the worm also downloads and executes files. These files are popk.exe and autorun.inf that are stored in the %DriveLetter% folder of removable and network drives. Furthermore, the worm continues to infect other files with the following extensions: .exe,.scr, .com and .pif. The worm adds a malicious script tag to some files using .htm, .html, .asp, .jsp and .aspx file extensions. In addition, the worm has the ability to stop several processes from running.

The compromised computer may slow down when it is infected with the W32.Poskiwing application. This may be caused by the programs and files that were added by the software on the user’s machine. A computer that is not protected by security programs and firewalls are easily infected with threats. This is also the case for computers that are not patched for system vulnerabilities.