Aliases: W32/SillyFDC-U
Variants: Downloader-BAL, Trojan.Agent.AIP, W32/Agent.BNQT, W32/SillyFDC-U, W32/Worm.AI

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 30 Mar 2007
Damage: Low

Characteristics: The W32.Vipauto application is a worm that infects the compromised computer via removable media. I affect Windows 95, Windows 98, Windows XP, Windows NT, Windows 2000, Windows Server 2003, and Windows Me.

More details about W32.Vipauto

Once W32.Vipauto worm is executed, it creates C:\WINDOWS\[ORIGINAL FILE NAME].exe and copies itself as [DRIVE LETTER]:\[5 RANDOM UPPER AND LOWER CASE LETTERS].exe file to the root of any attached drives. It drops [DRIVE LETTER]:\Autorun.inf file on any connected drives that point to W32.Vipauto. This will then create registry entries to automatically run each time the Windows starts and modifies the registry entry which continually resets entries. This process hides files even if the user sets the “View Hidden Files” option. The worm has also the ability to delete important registry entries in and creates the mutex. If all these process are completed, it will then contact particular Web sites and saves downloaded files as .txt files and then executes them.

The W32.Vipauto worm software can be instructed to change the security settings of the infected machine. Access to anti-malware programs and websites may be restricted. The user’s activities may be monitored using a keylogger function. This can capture whole documents, passwords, user names, credit card information, and personal data. These are then sent to the remote user.