Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:Worm/Otwycal.g
Date discovered:24/04/2008
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:No
File size:~9.300 Bytes
IVDF version:7.00.03.206 - Thursday, April 24, 2008

 General Method of propagation:
   • Mapped network drives


Aliases:
   •  Kaspersky: Worm.Win32.AutoRun.doc
   •  F-Secure: Worm.Win32.AutoRun.doc
   •  Grisoft: Worm/Generic.IEO
   •  Eset: Win32/AutoRun.NC


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops files
   • Steals information
   • Third party control

 Files It copies itself to the following locations:
   • %WINDIR%\windows.ext
   • %drive%:\MSDOS.bat



A section is added to a file.
– To: %SYSDIR%\spoolsv.exe With the following contents:
   • %executed file%

This makes the mentioned file run after reboot.



It deletes the initially executed copy of itself.



The following files are created:

%drive%:\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

 Backdoor Contact server:
The following:
   • http://444.er18.com/**********

As a result it may send information and remote control could be provided. The servers answer is written to the file: %SYSDIR%\config.txt

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • Upack

Description inserted by Andrei Gherman on Wednesday, August 6, 2008
Description updated by Andrei Gherman on Wednesday, August 6, 2008

Back . . . .