Aliases: W32.HLLW.Smilex
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Hard
Platform: W32
Discovered: 05 Nov 2002
Damage: Low

Characteristics: The W32.Stupid.D application replicates itself to the folder's root of every writeable drives. It is encrypted in the programming language of Microsoft Visual Basic.

More details about W32.Stupid.D

Once the W32.Stupid.D was performed, it displays a message containing: “Properties for this Program cannot be verified. The APPS.INF file is missing. Copy the APPS.INF file from your Windows Setup disks into your Windows INF folder.” The worm replicates itself being the :\dat0.exe. The characteristics of the replicated file will be set to system, read only, and hidden. The worm also replicates itself to a root of all of the logical drives that are writeable. For instance, the worm may replicate the files such as D:\Smile.exe, in case the drive D is a writeable drive, C:\Smile.exe, or A:\Smile.exe. The worm also generates the file C:\S.bat that has length of 37 bytes and is not a viral. Simply delete this type of file if it is present.

The worm recovers the Startup folder location of recent client from the key of the registry. Then the worm tries to restart your computer together with the floppy disk in the computer’s drive A. The worm also tries to generate the file A:\Autoexec.bat. In case the attempt was successful, the file A:\Autoexec.bat encloses the text del autoexec.bat, cls, copy smile.exe \smile.exe, and @echo off. If the user restarts the computer, the W32.Stupid.D was replicated to the folder of the Startup. Then the virus will delete the :\Autoexec.bat and C:\Windows\System.ini. The worm tries to add a value to the key of the registry so that in case the Windows will start the worm will run at the same time.