W32/Traxg-H is a mass-mailing worm for the Windows platform which also spreads by copying itself to network shares.
W32/Traxg-H sends emails with itself as an attachment to addresses found in the Outlook Express address book.
W32/Traxg-H may copy itself as a random filename to any of the following folders:
\fonts
\help
\system
\temp
\web
W32/Traxg-H may display a fake error message box containing the following text:
Warning
This Folder Has Been Damage!
The worm may create the files C:\FOLDER.HTT and nethood.htm, also detected as W32/Traxg-H. This file exploits the "Microsoft VM ActiveX Component" vulnerabilty, associated with certain versions of Microsoft Internet Explorer, to run further executable code. This vulnerability allows an HTML-based script to access the file system or registry without any of the usual security restrictions placed on ActiveX controls. For further information see Microsoft security bulletin MS00-075.
W32/Traxg-H may also create network shares for local files and folders. When spreading through networks, W32/Traxg-H typically uses the filename WINDOWS.EXE.
When first run W32/Traxg-H copies itself to <Windows folder>\fonts\8746d.com.
The following registry entry is created to run 8746d.com on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TempCom
<Windows folder>\FONTS\8746D.com
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1