Aliases: N/A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia
Removal: Easy
Platform: W32
Discovered: 23 Jan 2008
Damage: Medium

Characteristics: The W32.Uporesc application infects .html and .exe files spreads through replicating itself to drives that are removable. It downloads also potentially malevolent files on the internet. It replicates itself to some locations when it executes.

More details about W32.Uporesc

If the worm searches for any of the specified Chinese character, the worm will automatically closes the open window. The after that the worm infects all of the files having .exe extension in the Drive D to the Drive N. It will avoid infecting these particular files in case the folder contains strings such as C:\\Program Files, windows, mir, winnt, documents and settings, qq, and ghost. Also the Chinese characters of the names such as the Jianxie, Zhengtu, Moshou, Menghuan Xiyou, Datang Haoxia, Wulin Waizhuan, QQ Huaxia, Wanmei Guoji, Rexue Chuanqi, Dahua, Fengyun, Wanmei Shijie, Tianlong Babu, Moyu, Juren, Zhuxian, and Rexue Jianghu. The worm also infests those files that are in the Drives D to Drives N having the .cgi, .htm, .aspx, .php, .asp, and/or .html.

Once the W32.Uporesc was performed, the worm replicates itself to the C:\api32.exe, %System%\api32.exe, and %System%\svchost.dll locations. The worm also generates files such as the %System%\exe.sys, %System%\IME\svchost.exe, and %System%\Autorun.inf. The worm may also has the ability to drop the file %SYSTEM%\svchost.dll. The worm also creates subkey to the registry and also generates entries to the registry. Then the worm will delete the subkeys on particular registry. Then it modifies the created entry of the registry. The worm also check out the headings of the applications that are open so it can see if these titles contain strings that are related to the products that are security related and it is widely used in China.