(Worm:Win32/Jampork.A; Worm/VB.FEF; Win32.VB.NHZ; WORM_VB.DVP)
- multiple instances of explorer.exe running
- presence of a file named explorer.exe in %SYSTEM32% folder
Note: explorer.exe is also the name of a legitimate file found in %WINDOWS% folder
Please let BitDefender delete the infected files.
Dana Stanut, virus researcher
This is a worm written in Visual Basic that arrives on the computer under the name explorer.exe (via removable drives or it can be downloaded from the internet). If executed it will make a hidden copy of itself in %SYSTEM32% folder under explorer.exe then it will run the legitimate explorer.exe which will pop-up a Windows Explorer window as a trick to disguise itself.
Then it will search for a file named wsctf.exe in the same forder from wich it was run. If found, a hidden copy of this file will be made in %SYSTEM32% folder.
It will add/change the following registry keys in order to be loaded at every system startup:
Name = EXPLORER.EXE
Value = "EXPLORER.EXE"
Name = wsctf.exe
Value = "wsctf.exe"
Name = Userinit
Value = "userinit.exe, EXPLORER.EXE"
This worm will periodically search for onlinegames related applications running on the cumputer and terminate them. The targeted games are: Warcraft III, Counter-Strike, NFS Underground 2, Crazy Arcade, O2-JAM, PopKart Client, YB_OnlineClient, legend of mir2, CTRacer Client, Audition, Fly for Fun, Online, QQGame
It spreads itself by dropping copies of itself on every removable drive under the name explorer.exe and creating the associated autorun.inf file that will be executed when the drive will be accessed.
This worm uses the version information of a legitimate explorer.exe as another attempt to disguise itself.