high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 24 July 2006 22:20:57 (GMT) |
| Last updated | 13 December 2006 09:41:40 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Varmil-A is a worm for the Windows platform.
W32/Varmil-A includes functionality to access the internet and communicate with
a remote server via HTTP.
W32/Varmil-A may download and execute files from a remote server.
When first run, W32/Varmil-A copies itself to <Windows system folder>\AcroTray32.exe. The worm then searches for files with the following extensions:
AVI
BMP
C
CPP
DAT
DOC
FRM
JPEG
JPG
MP3
OCX
PDF
SCR
SIG
TIF
VBP
VBW
WAV
ZIP
If files with these extensions are found, W32/Varmil-A will overwrite them with a copy of itself. W32/Varmil-A also attempts to copy itself to files on network shares.
W32/Varmil-A creates a new file in %SYSTEM%\Drivers\etc\HOSTS called hosts.FILE, mapping selected anti-virus websites and other websites to the loopback address 127.0.0.1 in an attempt to prevent access to these sites. Typically the following mappings will be appended to the HOSTS file:
avg.com
google.com
iranvig.com
irvirus.com
mcafee.com
pandasoftware.com
simorgh-ev.org
symantec.com
www.24-7-transportation.com
www.adhdtests.com
www.aegee.org
www.aimcenter.net
www.alupass.lu
www.amanit.ru
www.AmirCivil.com
www.andara.com
www.angelartsanctuary.com
www.anthonyflanagan.com
www.approved1stmortgage.com
www.argontech.net
www.asianfestival.nl
www.atlantisteste.hpg.com.br
www.avg.com
www.avg.com
www.aviation-center.de
www.avizoon.com
www.bbc.com
www.bbsh.org
www.bga-gsm.ru
www.boneheadmusic.com
www.bottombouncer.com
www.bradster.com
www.buddyboymusic.com
www.bueroservice-it.de
www.calderwoodinn.com
www.capri-frames.de
www.celula.com.mx
www.ceskyhosting.cz
www.chinasenfa.com
www.cntv.info
www.compsolutionstore.com
www.coolfreepages.com
www.corpsite.com
www.couponcapital.net
www.cpc.adv.br
www.crystalrose.ca
www.cscliberec.cz
www.curtmarsh.com
www.customloyal.com
www.DarrkSydebaby.com
www.deadrobot.com
www.dontbeaweekendparent.com
www.dragcar.com
www.ecofotos.com.br
www.eurostavba.sk
www.everett.wednet.edu
www.fcpages.com
www.featech.com
www.FritoPie.NET
www.google.com
www.iran3ex.com
www.iranvig
www.iranxiran.com
www.irna.com
www.irvirus.com
www.mcafee.com
www.microsoftoft.com
www.pandasoftware.com
www.simorgh-ev.org
www.symantec.com
www.xlxx.com
www.xnxx.com
www.xxx.com
www.yahoo.com
yahoo.com
W32/Varmil-A may email itself to addresses harvested from the user's address book.
W32/Varmil-A may also attempt to disable the following processes:
ACKWIN32
AD-AWARE
ADAWARE
ADVXDWIN
AGENTSVR
AGENTW
ANTIVIR
ANTIVIRUS
APIMONITOR
APLICA32
AUPDATE
AUTODOWN
AUTOTRACE
AVGCC32
AVGCTRL
AVKSERV
Babylon
CFINET
CLEANPC
DATEMANAGER
DPFSETUP
F-AGNT95
FNRB32
GhostTray
IOMON98
mcvsshld
NAVAP32
navapsvc
navapw32
NAVW32
NETD32
NETMON
NORMIST
notepad
NPROTECT
NPROTECTED
NUPGRADE
OUTPOST
PavFires
pavProxy
pavsrv50
POP3TRAP
POWERPNT
realplay
regedit
Rtvscan
RuLaunch
SAVScan
SCAN32
SHSTAT
SNDSrvc
symlcsvc
taskmgr
UPDATE
UpdaterUI
Vshwin32
VsStat
VsTskMgr
WINWORD
ZONEALARM
W32/Varmil-A sets the following registry entry in order to run at start up:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
AmirCivil
<Windows system folder>\AcroTray32.exe
|
