W32.Dotex is a worm that copies itself to the root of all drives and downloads potentially malicious files on to the compromised computer. It also attempts to disable various antivirus programs.
Also called
W32/Webbew.worm is written in Delphi which spreads via removable drives. This worm is designed to silently download and execute malicious content from a remote server.
W32/Webbew.worm is written in Delphi which spreads via removable drives. This worm is designed to silently download and execute malicious content from a remote server.
When the executable is run on the victim machine, the worm copies itself to the following locations.
- %Program Files%\bhbsdrx.inf (169 bytes) --> used to autorun the worm when the drive is accessed
- %Program Files%\meex.exe (25,824 bytes ) -- > Copy of the worm
- %Program Files%\Common Files\Microsoft Shared\pxpfern.exe (25,824 bytes) --> Copy of the worm
- %Program Files%\Common Files\System\tnmgncd.exe (25,824 bytes ) --> Copy of the worm
The autorun.inf files are dropped into the root of every removable drive on the victim's system. This inf file facilitates to autorun the worm when the drive is accessed. The autorun.inf is currently detected as
Generic!atr.
The contents of the file will be similar to the following:
[AutoRun]
open=htocusa.exe
shell\open="opens"
shell\open\Command=htocusa.exe
shell\open\Default=1
shell\explore="Resource Management"
shell\explore\Command=htocusa.exe
This worm exists purely to download and run other remote files. The downloader is installed on the victim machine in a way that assists in masking its activity.
Removal -
Removal -
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.