W32/Francette-X

Please follow the instructions for removing worms.

W32/Francette-X is a worm and IRC backdoor Trojan for the Windows platform.

W32/Francette-X spreads to other network computers by exploiting common buffer overflow vulnerabilities, including RPC-DCOM (MS04-012).

W32/Francette-X runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

W32/Francette-X includes functionality to access the internet and communicate with a remote server via HTTP.

When W32/Francette-X is installed it creates the file <System>\msguid32.dll. This file is non-malicious and may be safely deleted.

The following registry entry is created to run W32/Francette-X on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft IIS

W32/Francette-X may modify the HOSTS file, changing the URL-to-IP mappings for selected websites, therefore preventing normal access to these sites:

www.halifax-online.co.uk
ibank.barclays.co.uk
online.lloydstsb.co.uk
online-business.lloydstsb.co.uk
www.ukpersonal.hsbc.co.uk
www.nwolb.com
banesnet.banesto.es
extranet.banesto.es
ebanking.bccbrescia.it
www.bankofscotlandhalifax-online.co.uk
www.rbsdigital.com
oi.cajamadrid.es
bancae.caixapenedes.com
banking.postbank.de
meine.deutsche-bank.de
myonlineaccounts2.abbeynational.co.uk
ibank.cahoot.com
webbank.openplan.co.uk
bancopostaonline.poste.it
www.rasbank.it
www.credem.it
mybank.bybank.it
www.bancagenerali.it
www.bancaintesa.it
www.creval.it
ibank.internationalbanking.barclays.com
www.abbeyinternational.com
www.bbvanet.com
www.fineco.it
www.cajamar.es
welcome7.co-operativebank.co.uk
welcome11.co-operativebankonline.co.uk