Aliases: W32/Wecorl, WORM_WECORL.A, Worm.W32/Wecorl, Win32.Wecorl, Virus.Win32.Wecorl
Variants: Virus.Win323/Wecorl, Worm.W32.Wecorl, Win32/Wecorl

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 02 Nov 2008
Damage: Low

Characteristics: The W32.Wecorl program is a worm that spreads itself by using MS Windows Server Service Remote Procedure Call Handling Remote Code Execution Vulnerability. This worm silently downloads files and executes malicious contents from a remote server. It affects Windows Server 2003, Windows XP, and Windows 2000.

More details about W32.Wecorl

W32.Wecorl is a worm that spreads by exploiting a Vulnerability on Server Service or ms08-067. When the .exe runs on the system of the victim, the worm hooks particular system file operations and changes system files. The worm further creates entries in the registry and creates a mutex "Ceproxy---------" as well to mark its presence on the computer and to make sure that only one case of itself runs at a given period. The worm next deletes the svchost.exe in the System folder and the OS to manage procedures initiated by .dll files utilize changes svchost.exe that is considered a critical system file since it. The worm is designed to download file and run malicious content from a remote attacker. It saves the downloaded files in the directory named winlogon.exe and svchost.exe. These filenames utilize the names of legitimate files of Microsoft Windows that confuses users into believing that the files are harmless. The worm then tries to connect to the particular domains to obtain the IP addresses associated with the infected system.

The W32/Wecorl software downloads unsolicited files and programs from a remote server. These files may consist of adware and spyware programs, worms and other viruses that add to the system’s vulnerability. The additional components take up most of the infected system’s local disk space.