Free Web Hosting Provider - Web Hosting - E-commerce - High Speed Internet - Free Web Page
Search the Web

Database : W32.Antiqfx.Worm
W32.Antiqfx.Worm
Virus Name: W32.Antiqfx.Worm
Aliases: None known
Type: Worm
Resident: No
Stealth: No
Trigger: None
Payload: Deletes files.
Comments:

W32.Antiqfx.Worm was discovered on Dec 28, 1999.

W32.Antiqfx.C.Worm runs on the system as Mscdex.exe. The size of the worm is 114,688 bytes. The worm spreads only on the local network. The worm enumerates the network resources and copies itself to the remote computer's \StartUp folder. It sometimes modifies the Autoexec.bat file to include the following references for its execution:

@echo off
mscdex.exe

On a remote computer running Windows NT, it copies itself as:

\Winnt\Profiles\Administrator\Start Menu\Programs\Startup\Mscdex.exe
or
\Winnt\Profiles\All Users\Start Menu\Programs\Startup\Mscdex.exe

On a remote computer running Windows 95/98, it copies itself as:

\Windows\Start Menu\Programs\Startup\Mscdex.exe

The worm runs one copy of itself each time. A mutex is used to run only one copy of the worm. If the worm is executed again, the new copy will terminate.

The worm searches for files with the following extensions and attempts to delete them:

  • .bth
  • .mar
  • .gly
  • .isp
  • .pos
  • .bru
  • .qfo
  • .que
  • .cat
  • .lut
  • .lso

It also deletes the following executables:

  • Qfxwin.exe
  • Qfxwin.ini
  • Qfxwin1.dll
  • Qfxcc.dll
  • Aver.ini
  • Amwin1.dll
  • Amcc.dll
  • Avermagic.exe
  • Amagic.exe

The worm is written in C++ and packed by PEPACK (a 32-bit executable packer). The executable is also protected by a HASP layer.
Copyright © 2001, All Rights Reserved.
Created & Maintained by VQUEST.