Aliases: Backdoor.Win32.RWX.2005.lk, BDS/Hupigon.abml.16
Variants: Trojan.PWS.Delf.IFI, Win32/Dowque!generic

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 07 Aug 2007
Damage: Medium

Characteristics: The W32.Versie.A program is a worm which spreads via mapped network drives. The worm opens a backdoor and can download more malicious files and content on to the computer. This worm usually affects Windows 98, Windows 95, Windows Me, Windows XP, Windows Vista, Windows Server 2003, Windows NT, and Windows 2000 System.

More details about W32.Versie.A

When W32.Versie.A is executed, it copies itself as .exe file in the program files and system. It as well copies itself to the root of removable and fixed drives as [DRIVE LETTER]:\[RANDOM NAME1].exe or [DRIVE LETTER]:\Autorun.inf. After it executes itself from those drives, it will then again create Paramstr.txt (log files) and RelDelBat.Bat file extensions and registers itself to run and creates registry sub keys. These registry keys that are created and modified by the worm enables auto run on mapped drives, disables Start Page protection for Internet Explorer, changes your internet explorer start page, changes your desktop wall paper, and disables the Windows Remote Assistance facility. The worm launches iexplore.exe and svchost.exe processes then injects itself into the memory space of these processes masquerading as legitimate processes.

If W32.Versie.A is not removed on the computer, this worm has the ability to open a back door on your compromised computer and connects to a TCP port. This would now be the process where in remote attacker could perform either Log keystrokes typed, download and execute some other files and shuts down your compromised computer. W32.Versie.A also disables encryption on Tencent Messenger by deleting the .sys file from the installation folder. The worm can also send the system information to the remote attacker such as CPU Speed, OS version, your computer’s memory available and the service packs installed.