Malware type: Worm

Aliases: W32.Mandaph(Symantec), Mal/Generic-A(Sophos), Worm.Win32.Socks.cd(Kaspersky), TR/Dropper.Gen(Avira), W32/Socks.A.gen!Eldorado (generic(F-Prot), BackDoor-DOQ(McAfee)

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Description: 

To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.

Malware Overview

This worm arrives via email messages spammed by another malware or by a malicious user. It may also be dropped by other malware.

Instead of attaching copies of itself to email messages, this worm asks users to click a link in the message. This is an effective way for it to bypass email applications that scan for malicious attachments.

When a user clicks the said link, this worm connects to certain Web sites to download a copy of itself.

This worm drops copies of itself.

It creates registry entries to enable its automatic execution at every system startup. It also modifies a registry entry to enable its automatic execution at every system startup.

This worm propagates by sending email messages containing a link, which when clicked, redirects users to a malicious Web site where a copy of this worm is downloaded.

It attempts to connect to a remote site to retrieve another URL where it downloads a file detected by Trend Micro as TROJ_PANDEX.BO.

For additional information about this threat, see:
Solution
Technical Details

Description created: Mar. 11, 2008 2:18:09 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.