Aliases: N/A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Hard
Platform: W32
Discovered: 23 Nov 2005
Damage: Medium

Characteristics: The W32.Secefa.A program is a worm with backdoor capabilities of dropping another worm into the infected computer.

More details about W32.Secefa.A

When the W32.Secefa.A worm is opened, it duplicates itself as “%Windir%\msdef.exe”, “%Windir%\services.exe”, and “%System%\ws3lib.exe”. The worm also makes additional files such as “%Windir%\dodrrr.exe”, “%System%\qwe.bat”, and “%System%\ftp.scr”. After that, the worm sets a value to the registry key to stop the Windows Firewall process. Then, it adds a value to the registry key to append the worm as an authorized application. The W32.Secefa.A program stops its access to a few protection-related sites by adding texts to the host file. It stops the services with names such as “AVPCC” and “AvxIni”. The worm tries to stop the processes of “ATUPDATER.EXE” and “AUPDATE.EXE”. Then, it makes a duplicate of the file “%Windir%\sfc_os.dll” or “sfc.dll” as “%Windir%\trash[RANDOMDIGITS]”. The worm runs a backdoor on the infected computer by linking to an IRC channel and listening for commands, which enable an attacker to make various actions on the infected computer.

The W32.Secefa.A program may also hijack the user’s web browser. It changes the homepage to a website that contains information about the infection on the user’s computer. The website may also display information on how to avail the license of the application in order to remove the intrusion. The application may run in Windows 98, Windows 95, Windows Me, Windows XP, Windows 2000, Windows NT and Windows Server 2003 operating systems.