W32/Xrove-A

Please follow the instructions for removing worms.

W32/Xrove-A is a worm written for the .NET framework. It is the first malware known to affect both systems running Windows for desktops and Windows for Mobile devices.

When W32/Xrove-A is run it attempts to collect the information about the operating system environment and executes different functions based on the current operating system environment. W32/Xrove-A is a worm written for the .NET framework. It is the first malware known to affect both systems running Windows for desktops and Windows for Mobile devices.

When W32/Xrove-A is run it attempts to collect the information about the operating system environment and executes different functions based on the current operating system environment.

If the worm is running on a desktop system it creates a file with a random name in the Windows folder and changes a registry entry under the key

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Random Unique ID
=[wormfilename]

so that the worm runs when the user logs in.

W32/Xrove-A then runs in a loop to attempt to detect that a mobile device is connected to the desktop system. If connection to the device is successful the worm attempts to copy itself into the Windows folder on the device and launch a worm process remotely on the device.

If the worm is running on the mobile device it attempts to create a link with a random name in the folder \Windows\Startup. The link points to the W32/Xrove-A so that the worm is run every time the device is powered on.

W32/Xrove-A attempts to delete all files from the \My Documents\ folder and all subfolders.