Aliases: N/A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: North America
Removal: Easy
Platform: W32
Discovered: 28 May 2007
Damage: Medium

Characteristics: W32.Quadrule.A is a worm. It propagates itself using network drives and removable drives. It also opens a back door on the infected computer. A back door allows a remote attacker to steal personal information from compromised computers.

More details about W32.Quadrule.A

Once the worm is executed, it creates the file QQ.exe to make sure it runs when Windows starts. It also copies itself using the filenames QQUpdate.exe and msn.exe. In addition, it creates registry entries to ensure execution every Windows start up. It checks for and ends the processes: taskmgr.exe, gxh.exe, syshost.exe, yellow.exe, Microsoft Office Word.exe, Microsoft Word.exe, and Microsoft Office.exe. It also deletes other files in the system. It may download a number of files on to the infected computer and drops them at certain locations. It then creates a back door. The back door allows a remote attacker to access files on the infected computer. Next, the worm connects to the Server.somv.cn domain on port 61183. It waits for specific commands from an attacker.

When the worm infects a computer, it allows a remote attacker to do the following: change the Internet Explorer home page, end processes, update the worm, and modify the registry. This W32.Quadrule.A application enters a computer through security errors and system vulnerabilities. It launches on a computer stealthily and starts up each time the system is opened or rebooted. This software may enter a computer that is not protected by security programs and firewalls. Users may find new icons on the desktop. These may have been added together with the downloaded applications. The computer may also slow down as a result of the activities being carried out.