F-Secure
Tools
Worm:W32/Worm
| Name : | Worm:W32/Worm |
| Detection Names : |
Win32.Worm Worm.Generic |
| Category: | Malware |
| Type: | Worm |
| Platform: | W32 |
Summary
A standalone malicious program which uses computer or network resources to make complete copies of itself. May include code or other malware to damage both the system and the network.
Disinfection
Automatic Disinfection
Starting from F-Secure Anti-Virus (FSAV) version 5.40, standalone malware (backdoors, worms, trojans, etc.) is automatically removed. FSAV automatically renames malware files to prevent them from being executed.
In rare cases, automatic disinfection is not possible and the user must instruct FSAV to perform disinfection (renaming and/or deleting the infected file).
In special cases, the user is recommended to perform disinfection using specific tools provided by F-Secure. The tools can be downloaded from:
In some cases F-Secure Anti-Virus may not automatically disinfect a system. If so, please visit our Support pages at:
Manual Disinfection
Note: Manual disinfection is a risky process; it is recommended only for advanced users.
To manually disinfect standalone malware (backdoors, worms, trojans, etc.) it is usually enough to delete all infected files from a computer and to restart it.
Active malware files are usually locked by the operating system; different disinfection approaches are required for different operating systems. If the computer is running on the Windows 95, 98 or ME operating systems, the recommended action is to restart the computer from a bootable system diskette and delete the infected file using command prompt. For example, if malicious file ABC.EXE is located in the Windows folder, type the following command at the command prompt:
and press Enter to delete the infected file. If the computer system is running on the Windows NT, 2000 or XP operating systems, a malicious file must be renamed with a different extension (for example .VIR) before the system is restarted. After restart, the renamed malicious file will no longer be active and it can then be manually deleted.
Windows System Restore Issues
If the computer is running on the Windows ME or XP operating systems, disabling the System Restore feature before disinfection is recommended. This is to avoid possible re-infection by a threat that has just been disinfected, as the System Restore feature may have unknowingly saved a copy of the infected file during its normal procedures. If the System Restore feature is active, it may then copy the infected file back to the hard drive after the user or an antivirus program has renamed or deleted it.
Instructions on how to disable the System Restore feature are here:
Once disinfection is complete, re-enabling the System Restore feature is recommended. This will allow the user to restore the system to a stable configuration in the event that a crash or incompatibility issue occurs in the future.
F-Secure Anti-Virus
F-Secure Anti-Virus can be purchased from our online web store or from authorized distributors. A 30-day limited trial verson of F-Secure Anti-Virus may be downloaded from our website:
All the latest versions of FSAV can automatically download the latest signature database updates. These updates can also be manually downloaded and installed from our web or ftp sites:
Starting from F-Secure Anti-Virus (FSAV) version 5.40, standalone malware (backdoors, worms, trojans, etc.) is automatically removed. FSAV automatically renames malware files to prevent them from being executed.
In rare cases, automatic disinfection is not possible and the user must instruct FSAV to perform disinfection (renaming and/or deleting the infected file).
In special cases, the user is recommended to perform disinfection using specific tools provided by F-Secure. The tools can be downloaded from:
In some cases F-Secure Anti-Virus may not automatically disinfect a system. If so, please visit our Support pages at:
Manual Disinfection
Note: Manual disinfection is a risky process; it is recommended only for advanced users.
To manually disinfect standalone malware (backdoors, worms, trojans, etc.) it is usually enough to delete all infected files from a computer and to restart it.
Active malware files are usually locked by the operating system; different disinfection approaches are required for different operating systems. If the computer is running on the Windows 95, 98 or ME operating systems, the recommended action is to restart the computer from a bootable system diskette and delete the infected file using command prompt. For example, if malicious file ABC.EXE is located in the Windows folder, type the following command at the command prompt:
• DEL C:\WINDOWS\ABC.EXE
and press Enter to delete the infected file. If the computer system is running on the Windows NT, 2000 or XP operating systems, a malicious file must be renamed with a different extension (for example .VIR) before the system is restarted. After restart, the renamed malicious file will no longer be active and it can then be manually deleted.
Windows System Restore Issues
If the computer is running on the Windows ME or XP operating systems, disabling the System Restore feature before disinfection is recommended. This is to avoid possible re-infection by a threat that has just been disinfected, as the System Restore feature may have unknowingly saved a copy of the infected file during its normal procedures. If the System Restore feature is active, it may then copy the infected file back to the hard drive after the user or an antivirus program has renamed or deleted it.
Instructions on how to disable the System Restore feature are here:
• Windows ME: http://www.f-secure.com/v-descs/sfc_dis.shtml
• Windows XP: http://www.f-secure.com/v-descs/sfc_dis1.shtml
Once disinfection is complete, re-enabling the System Restore feature is recommended. This will allow the user to restore the system to a stable configuration in the event that a crash or incompatibility issue occurs in the future.
F-Secure Anti-Virus
F-Secure Anti-Virus can be purchased from our online web store or from authorized distributors. A 30-day limited trial verson of F-Secure Anti-Virus may be downloaded from our website:
All the latest versions of FSAV can automatically download the latest signature database updates. These updates can also be manually downloaded and installed from our web or ftp sites:
Additional Details
This is the Worm General Information page.
A worm is a parasitic program capable of replicating itself by sending its copies in e-mail messages or copying itself to to computers over a network and other media. At one time, worms were considered more of a nuisance than a threat, but today it has become increasingly common among malware authors to create malicious, complex worms that carry viruses and backdoors inside them or that have additional features like local network spreading or password or data stealing.
Also the latest worms try to disable anti-virus and security software on infected computers. Some worms attempt to steal data by attaching images or document files to infected messages that they send out. A few worms have destructive payload and destroy an infected system after they send themselves out.
There are numerous worm sub-types, which are defined by the platform or medium in which they propagate. For example, an Email-Worm will spread copies of itself using e-mail messages; an IRC-Worm spreads through Internet Relay Chat (IRC) channels and an SMS-Worm multiplies using the Short Message System (SMS) of telecommunications networks. Read more about the different sub-types below:
Email-Worm
The most common type of worm is an Email-Worm, also known as a mass-mailer or less commonly an Internet worm. It is usually a standalone program that sends itself as an e-mail attachment to e-mail addresses that it could find on an infected computer. Mass mailers became very widespread in the beginning of 21st century.
Typically a mass mailer arrives on a computer with an infected e-mail message. In some cases an infected attachment of such message can start automatically, in other cases a user has to run an attachment to become infected. When a typical mass-mailer is activated, it installs itself to system by copying its file into Windows or Windows System folder, creates a startup key for its file in the Registry or modifies WIN.INI or SYSTEM.INI file and stays active in memory.
While active, a mass mailer collects e-mail addresses from user's Address Book or searches for specific files (for example for HTML files) and tries to locate e-mail addresses there. Finally a mass mailer connects to any available SMTP server (usually a default user's SMTP server is used) and sends itself to all or a few selected found e-mail addresses.
Some mass mailers randomly compose subjects and bodies of infected messages from words and phrases that they have in their bodies. Some worms use contents of randomly found files as e-mail message's body or subject. Worm's attachment names could be either random, or 'borrowed' from other files.
Many worms send themselves as attachments with double extension, for example .MPG.EXE or AVI.PIF. In this case a recipient in most cases can only see the first extension. Because of that some users try to start such attachments thinking that these are multimedia files.
Net-Worm
A Net-Worm or Network Worm is usually a standalone program that tries to copy itself to other computers connected to the same Local Area Network (LAN). Such worms travel from one computer to another using shares. A share is a media (hard drive for example) or part of it that can be accessed by everyone or only by users with specific access rights. In many cases corporate computers and servers have a few open shares and that eases a worm's task to infect a network. Cleaning of a network work outbreak in many cases requires to take a network down and to disinfect all infected computers one by one.
A network worms, when activated, looks for all available shared resources and if it finds that Windows directory of another computer is shared, it copy its files there. To make these copies start on remote computers, a worm usually modify WIN.INI or SYSTEM.INI files. This approach, however, does not work on NT-based operating systems. When a target computer is then restarted, it becomes infected.
Some worms copy themselves to startup folders of different users on remote computers. In this case they can start every time a user is logged on there. Some network worms can copy themselves globally using Internet. They use NetBios services on ports 137 and 139 to find vulnerable computers and to copy themselves there. Also these worms can modify Windows INI files remotely. Only Windows 9x systems are affected by this type of worms.
A few network worms attempt to disable NT-based operating system security by patching specific Windows components. In this case they get full adminstration rights on an infected computer.
One network worm attempts to copy itself to shares that are protected with a password. The worm uses a vulnerability that allows it to bruteforce a password and bypass share security.
IRC-Worm
IRC worms are also platform-specific. They work only with IRC (Internet Relay Chat) clients that connect to various IRC networks. An IRC worm is usually a standalone program that uses IRC networks to spread itself. Such worm either tries to spread itself by establishing connection to an IRC server or it can drop specific scripts to an IRC client directory. The most affected IRC client is mIRC. Usually an IRC worm replaces some INI files in mIRC directory with its own scripts and when a user connects to an IRC server and joins any channel, these scripts instruct a client to send a worm's executable file to everyone in that channel.
IIS Worm
A platform-specific worm is a worm that works only on a specific platform (software). There exist a family of worms that work only on Microsoft IIS (Internet Information Server) software. These worms are called IIS worms. The code of such a worm is usually an HTTP request that exploits a vulnerability in IIS software and makes a server run binary code that follows the HTTP request. IIS worms do not exist in file form. They only exist as a memory process. Disinfection of such worms is quite easy - special patches need to be installed to IIS software and a server has to be rebooted. Some IIS worms change startup pages of IIS servers they infect.
A worm is a parasitic program capable of replicating itself by sending its copies in e-mail messages or copying itself to to computers over a network and other media. At one time, worms were considered more of a nuisance than a threat, but today it has become increasingly common among malware authors to create malicious, complex worms that carry viruses and backdoors inside them or that have additional features like local network spreading or password or data stealing.
Also the latest worms try to disable anti-virus and security software on infected computers. Some worms attempt to steal data by attaching images or document files to infected messages that they send out. A few worms have destructive payload and destroy an infected system after they send themselves out.
There are numerous worm sub-types, which are defined by the platform or medium in which they propagate. For example, an Email-Worm will spread copies of itself using e-mail messages; an IRC-Worm spreads through Internet Relay Chat (IRC) channels and an SMS-Worm multiplies using the Short Message System (SMS) of telecommunications networks. Read more about the different sub-types below:
Email-Worm
The most common type of worm is an Email-Worm, also known as a mass-mailer or less commonly an Internet worm. It is usually a standalone program that sends itself as an e-mail attachment to e-mail addresses that it could find on an infected computer. Mass mailers became very widespread in the beginning of 21st century.
Typically a mass mailer arrives on a computer with an infected e-mail message. In some cases an infected attachment of such message can start automatically, in other cases a user has to run an attachment to become infected. When a typical mass-mailer is activated, it installs itself to system by copying its file into Windows or Windows System folder, creates a startup key for its file in the Registry or modifies WIN.INI or SYSTEM.INI file and stays active in memory.
While active, a mass mailer collects e-mail addresses from user's Address Book or searches for specific files (for example for HTML files) and tries to locate e-mail addresses there. Finally a mass mailer connects to any available SMTP server (usually a default user's SMTP server is used) and sends itself to all or a few selected found e-mail addresses.
Some mass mailers randomly compose subjects and bodies of infected messages from words and phrases that they have in their bodies. Some worms use contents of randomly found files as e-mail message's body or subject. Worm's attachment names could be either random, or 'borrowed' from other files.
Many worms send themselves as attachments with double extension, for example .MPG.EXE or AVI.PIF. In this case a recipient in most cases can only see the first extension. Because of that some users try to start such attachments thinking that these are multimedia files.
Net-Worm
A Net-Worm or Network Worm is usually a standalone program that tries to copy itself to other computers connected to the same Local Area Network (LAN). Such worms travel from one computer to another using shares. A share is a media (hard drive for example) or part of it that can be accessed by everyone or only by users with specific access rights. In many cases corporate computers and servers have a few open shares and that eases a worm's task to infect a network. Cleaning of a network work outbreak in many cases requires to take a network down and to disinfect all infected computers one by one.
A network worms, when activated, looks for all available shared resources and if it finds that Windows directory of another computer is shared, it copy its files there. To make these copies start on remote computers, a worm usually modify WIN.INI or SYSTEM.INI files. This approach, however, does not work on NT-based operating systems. When a target computer is then restarted, it becomes infected.
Some worms copy themselves to startup folders of different users on remote computers. In this case they can start every time a user is logged on there. Some network worms can copy themselves globally using Internet. They use NetBios services on ports 137 and 139 to find vulnerable computers and to copy themselves there. Also these worms can modify Windows INI files remotely. Only Windows 9x systems are affected by this type of worms.
A few network worms attempt to disable NT-based operating system security by patching specific Windows components. In this case they get full adminstration rights on an infected computer.
One network worm attempts to copy itself to shares that are protected with a password. The worm uses a vulnerability that allows it to bruteforce a password and bypass share security.
IRC-Worm
IRC worms are also platform-specific. They work only with IRC (Internet Relay Chat) clients that connect to various IRC networks. An IRC worm is usually a standalone program that uses IRC networks to spread itself. Such worm either tries to spread itself by establishing connection to an IRC server or it can drop specific scripts to an IRC client directory. The most affected IRC client is mIRC. Usually an IRC worm replaces some INI files in mIRC directory with its own scripts and when a user connects to an IRC server and joins any channel, these scripts instruct a client to send a worm's executable file to everyone in that channel.
IIS Worm
A platform-specific worm is a worm that works only on a specific platform (software). There exist a family of worms that work only on Microsoft IIS (Internet Information Server) software. These worms are called IIS worms. The code of such a worm is usually an HTTP request that exploits a vulnerability in IIS software and makes a server run binary code that follows the HTTP request. IIS worms do not exist in file form. They only exist as a memory process. Disinfection of such worms is quite easy - special patches need to be installed to IIS software and a server has to be rebooted. Some IIS worms change startup pages of IIS servers they infect.