Aliases: W32/Generic.Delphi.b, Trojan.PWS.Sadas, TROJ_MMM.A, Worm/Shelp.a.2, Net-Worm.Win32.Shelp.a
Variants: Collected.6.BS, Win32.Worm.Shelp.A, Trj/PassGrabber.A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 17 May 2005
Damage: Medium

Characteristics: The W32.Shelp application is a virus worm that spreads itself by using the Microsoft Windows Local Security Authority Service Remote Buffer Overflow.

More details about W32.Shelp

When the W32.Shelp worm is opened, it spreads by using the Microsoft Windows Local Security Authority Service Remote Buffer Overflow. Then, it downloads “svchost.exe”, and “load.exe” files from the Internet Protocol address “” and saves the file “svchost.exe” as “%System%\explorer.exe”. Then, it adds the value “explorer” = “%System%\explorer.exe” to the registry key so that the threat opens each time Windows starts. Then, it creates a new registry key where it may keep the worm’s version info. It executes “%System%\explorer.exe” download file and removes the “load.exe” file. It downloads a duplicate of the W32.Shelp program from the Internet Protocol Address “” and opens it to finish the contamination and infection in the computer.

The software may enter the system when it is bundled with other unwanted applications. It may come with spyware and adware programs. These are typically distributed bundled with free computer utilities. Users are often unaware that hidden files they are included in the installers. The W32.Shelp program may also spread via drive-by-downloads. Its source code may be hidden in the formatting of a web page. It may also be embedded as an ActiveX component. Viewing the website with a weakly protected browser will execute the malicious software in the user’s computer.