My Bitdefender
  • 0 Shopping Cart


Facebook Twitter Google Plus


aprox. 25kb
(Worm.Win32.Otwycal, W32.Wowinzi, W32/Otwycal.A, W32/Cowya.A)


Increased system activity, CPU usage and network usage.
Presence of the files:
"% WinDir %\Tasks\0x01xx8p.exe"

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Adrian Stefan Popescu, virus researcher

Technical Description:

The malware is a file infector that affects PE executable files.
When an infected executable has been run, it drops only the malware code from an infected file into:
%Temp%\ WinDir.EXT and runs it.

When it runs it copies itself into %WinDir%\Tasks\0x01xx8p.exe.
First it infects the file %System%\spoolsv.exe

After this infection, it tries to download a configuration file into one of these files:
  • % WinDir %\kkk.txt
  • % WinDir %\config.txt
  • %WinDir%\windows.txt
With the instructions from the configuration file it does the following:

1.    Download files from: http://888.[REMOVED].com/00/ and run them
2.    It infects all the web related files with the extension:
  • *.do
  • *.htm
  • *.html
  • *.shtm
  • *.shtml
  • *.aspx
  • *.php
  • *.jsp
  • *.cgi
  • *.xml
  • *.GHO
The infection is done by writing one or more lines at the end of the file, lines that can be found in the configuration file.

3.    Infects all the PE files from all fixed drives with the following extensions:
  • *.exe
  • *.bat
  • *.cmd
  • *.com
  • *.scr
With the exception of:
  • qq.exe

  • QQDoctor.exe

  • QQDoctorMain.exe

4.    Spread throughout all removable drives. This is done with the creation of an “autorun.inf” which runs a copy of the malware code that had been copied on the removable drive.

If the host computer doesn’t have internet connectivity only the file: %system%\spoolsv.exe is infected and copies the infected spoolsv.exe into removable drives and create an “autorun.inf”.

It also kills all processes which run the following files:
  • avp.exe
  • smss.exe
  • kvsrvxp.exe
  • kvsrvxp.exe