Aliases: Generic2.GYL, TR/Agent.aaa, Trojan.Agent.xrg, Trojan.Wantok.A, Trojan.Win32.Agent.aaa
Variants: W32/Trojan.LQQ, W32/USBWantok, W32/Wantok-A, Win32/USBWantok.A, Win32:Agent-CWA [Trj]

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 15 Nov 2006
Damage: Low

Characteristics: The W32.Wantok application is a malicious worm that duplicates itself to all local hard disks on the compromised PC and shows a message when executed. This worm affects all Windows platform such as Windows 2000, Windows 98, Windows 95, Windows Me, Windows Server 2003, Windows NT, and Windows XP.

More details about W32.Wantok

The malicious worm replicates itself to all local hard disks on the compromised PC and shows a message when executed. It is spread via network shares and removable media device. This worm affects all Windows platform and when W32.Wantok is executed, it creates files such as jub0.exe, svch0st.exe, bigdick.inf, and tokwan.txt on the System folder. It as well adds the value to the registry subkey in order to be automatically executed whenever the Windows starts. It will then display a message entitled “Tokwan Lonely”. This message contains the following text, “Hello Everybody, Kenai tokwan dak? Tokwan dah tua, etc. It further attempts to copy itself as [DRIVE LETTER]:\autorun.inf. to local drives D through P. Then Ends any processes with the altered file names that results to corruption of files.

This W32.Wantok application is also known for downloading and executing files and programs from a remote server. The Trojan application may download adware and spyware programs and other viruses. These are added to the user’s computer without permission. The additional components may decrease the system’s speed and take up computer resources. The W32.Wantok application may enter a computer through security errors and system vulnerabilities. It may be downloaded or dropped by other Trojan programs that are already present on the user’s machine. The user may also unknowingly download the threat while visiting websites that are not secure. Another way of getting the threat is through an infected file from P2P (peer-to-peer) programs.