Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:07/12/2007
Type:File infector
In the wild:Yes
Reported Infections:Medium to high
Distribution Potential:Medium
Damage Potential:Medium
Static file:No
File size:~19.000 Bytes
IVDF version:

 General Method of propagation:
   • Infects files

   •  Symantec: W32.Drowor.B!inf
   •  Mcafee: W32/Cekar
   •  Kaspersky: IM-Worm.Win32.Sohanad.nj
   •  Sophos: W32/Drowor-A
   •  VirusBuster: Worm.VB.YVP
   •  Eset: Win32/Seriv.A
   •  Bitdefender: Win32.Trafrox.C

The file works interdependently with these components:
   •  W32/Drowor.C

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Drops a malicious file
   • Infects files

 Files The following file is created:

%WINDIR%\Services.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: W32/Drowor.C

 File infection Infector type:

Appender - The virus main code is added at the end of the infected file.
– The following section is added to the infected file:
   • .idata

Damaging - The files may be improperly infected. This results in infected files that are broken and crash.

Because of bugs in the virus it may happen that only some of the virus code be present in the infected sample and inhibit further replication.

No stealth techinques used. It modifies the OEP (Original Entry Point) of the infected file to point to the virus code.

Self Modification:

Encrypted - The virus code inside the infected file is encrypted.


This memory-resistent infector remains active in memory.

Infection length:

Approximately 19.000 Bytes

Ignores files that:

Contain any of the following strings in their name:
   • inst
   • unin
   • wise
   • vise
   • setup
   • pas
   • dele
   • master
   • sfx

The following files are infected:

By file type:
   • *.exe
   • *.scr

Files in any of the following directories:
   • %all directories%

Description inserted by Daniel Constantin on Thursday, March 25, 2010
Description updated by Daniel Constantin on Thursday, March 25, 2010

Back . . . .