high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 13 March 2005 16:42:26 (GMT) |
| Detected by | All Sophos products |
Sophos beta program
- Endpoint Security and Control 9.0
- Small business solutions 4.0
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Esalone-A is a worm for the Windows platform that spreads by copying itself to the available network drives with the filename Readme.txt.exe and by inserting a worm copy into WINZIP and WINRAR archives. W32/Esalone-A is a worm for the Windows platform that spreads by copying itself to the available network drives and by inserting a worm copy into WINZIP and WINRAR archives.
Once executed W32/Esalone-A copies itself to the Windows folder with the filename daemon.exe, and in order to be able to run automatically when Windows starts up sets the registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Daemon
"daemon.exe c daemon2.exe"
W32/Esalone-A attempts to copy itself as a file called Office_Service.pif to the <Windows>\Start Menu\Programs\inicio folder.
W32/Esalone-A copies itself to the root folder of available network drives with the filename Readme.txt.exe, and attempts to inserts itself into the ZIP and RAR archives using the same filename.
W32/Esalone-A may create a number of files upon run including the following:
Infect.drv
Muerte.drv
infectate.reg
WinZip.reg
WinRar.reg
|
