Aliases: W32.Warcraft
Variants: N/A

Classification: Malware
Category: Trojan Horse

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 10 Jul 2002
Damage: Low

Characteristics: W32.Evala.Worm is a Backdoor Trojan that affects Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT and Windows XP Operating System platforms. Peer-to-peer application or file-sharing networks such as Kazaa, Grokster and Morpheus are the platforms where this worm usually spreads. Remotely, it also connects with TCP ports 69 and 70. It is also known as W32.Warcraft when the worm was updated last July 12, 2002. File-sharing networks, email, network file sharing are also some of the reasons this worm spreads and propagates.

More details about W32.Evala.Worm

Antivirus programs and firewalls are also terminated by this worm which leaves the compromised computer vulnerable to other virus, malware and worms. It also disables Task Manager and Windows Registry. Moreover, the worm also modifies the compromised computer's Internet Explorer homepage. Standard protection and removal tools include the usual process of being wary and careful with the programs being installed and the processes being allowed to run in the system. It is also a good practice when you are using a firewall to block all incoming connections from the Internet to services that should not be publicly available. Always protect your computer by denying all incoming connections and allow only services you trust and really know. Passwords creation is also a key in protecting files and programs from viruses. Auto play facility in your computer should be disabled to prevent the further automatic launching of executable files on network and removable drives.

This malware program may be capable of becoming a RAT or Remote Administration Tool to allow remote users to access and control the infected machine. It was reported that this malware may act as a server to allow users to have full access to the infected system using its client counterpart. This may allow malicious users to retrieve system information, such as the list of programs installed, the hardware profile of the infected machine, the IP address of the machine on the network, and so on. This malware program reputedly modifies the Registry values of the machine during installation to allow it to load automatically without user permission during boot-up. There were reports that this malware can modify the certain Registry Keys to allow it to start its own routines or to execute programs.