Home / malware Win32.Otwycal.A
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Otwycal.A is also known as Worm.Win32.Otwycal, W32.Wowinzi, W32/Otwycal.A, W32/Cowya.A.
Explanation :
The malware is a file infector that affects PE executable files.
When an infected executable has been run, it drops only the malware code from an infected file into:
%Temp% WinDir.EXT and runs it.
When it runs it copies itself into %WinDir%Tasks x01xx8p.exe.
First it infects the file %System%spoolsv.exe
After this infection, it tries to download a configuration file into one of these files:
% WinDir %kkk.txt % WinDir %config.txt%WinDir%windows.txtWith the instructions from the configuration file it does the following:
1. Download files from: http://888.[REMOVED].com/00/ and run them
2. It infects all the web related files with the extension:
*.do*.htm*.html*.shtm*.shtml*.aspx*.php*.jsp*.cgi*.xml*.GHOThe infection is done by writing one or more lines at the end of the file, lines that can be found in the configuration file.
3. Infects all the PE files from all fixed drives with the following extensions:
*.exe*.bat*.cmd*.com*.scrWith the exception of:
qq.exe
QQDoctor.exe
QQDoctorMain.exe
4. Spread throughout all removable drives. This is done with the creation of an “autorun.inf” which runs a copy of the malware code that had been copied on the removable drive.
If the host computer doesn’t have internet connectivity only the file: %system%spoolsv.exe is infected and copies the infected spoolsv.exe into removable drives and create an “autorun.inf”.
It also kills all processes which run the following files:
avp.exesmss.exekvsrvxp.exekvsrvxp.exeLast update 21 November 2011