Home / malware Win32.Worm.Fire.A
First posted on 21 November 2011.
Source: BitDefenderAliases :
There are no other names known for Win32.Worm.Fire.A.
Explanation :
This is a prepender virus, it infects executables by adding itself to the begining of the infected host, thus executing first, and then spawning for execution the original host file.
Once an infected file is run, the virus will do:
1. Create the file kav.log in system32spool folder
2. Create a copy or the worm as taskmgr.exe (18,944 bytes) in folder Program FilesCommon FilesMicrosoft SharedSpeech and starts it
3. Creates mutex "kilVirus"
4. Attempts to disable various security applications
5. Checks for existence of some predefined files (pinyin.exe and protect.exe)
6. Creates copies of the virus in the root of each drive as folder.exe, also creates autorun.inf files there, linked to folder.exe (although a bug in this routine may ask for a disk in drive A: )
7. Starts infecting executables, matching files with extension: scr, com, exe, appends the text "firefox" at the end of the infected filesLast update 21 November 2011