Content

W32/Cekar

Type
Virus
SubType
Win32
Discovery Date
02/12/2007
Length
Varies
Minimum DAT
4961 (02/12/2007)
Updated DAT
5274 (04/15/2008)
Minimum Engine
5.1.00
Description Added
02/12/2007
Description Modified
06/07/2007 6:00 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

W32/Cekar is a file infecting worm. It searches for executable files on the infected machine, removable media and mounted network drives to append its viral code. It can also be monitoring and stealing passwords from QQ, a popular Instant Messenging application in China.

On execution, the infected files drops and executes a copy of its propagation component into one of the the following path(s):

  • %Windir%\system\internat.exe
  • %Windir%\system\conime.exe

(Where %Windir% is the Windows folder; e.g. C:\Windows)

This worm tries to copy itself as setup.exe to the root of all available drives and shares as:

  • X:\autorun.inf (Windows autorun config file)
  • X:\setup.exe (W32/Cekar)

(Where X: is the drive letter of the hard drive, removable media or network drive).

It can also contact the following site(s) to upload stolen data or download further malware:

  • tx.993311.com
  • mm.21380.com
  • 5y5.us
  • 35561.com

Downloaded files are stored in the following path(s):

  • %Windir%\System\System32.vxd

The list of files probed across shares may be stored in

  • %Windir%\System\MCIWACE.INC

At the time of writing, these malicious sites were unavailable.

 

 

Symptoms

  • Presence of the mentioned file(s).
  • Presence of setup.exe in the root of local drives, removable drives or network shares
  • Increase in size of EXE files
  • Some executable files may cease to run properly
  • Increase in disk activity (read and write)

 

Method of Infection

W32/Cekar is a file infecting virus.  Infection starts with manual execution of the binary. 

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

W32/Cekar is a file infecting worm. It searches for executable files on the infected machine, removable media and mounted network drives to append its viral code. It can also be monitoring and stealing passwords from QQ, a popular Instant Messenging application in China.

Aliases

  • W32.Jacksuf.A (Symantec)

Characteristics

Characteristics -

W32/Cekar is a file infecting worm. It searches for executable files on the infected machine, removable media and mounted network drives to append its viral code. It can also be monitoring and stealing passwords from QQ, a popular Instant Messenging application in China.

On execution, the infected files drops and executes a copy of its propagation component into one of the the following path(s):

  • %Windir%\system\internat.exe
  • %Windir%\system\conime.exe

(Where %Windir% is the Windows folder; e.g. C:\Windows)

This worm tries to copy itself as setup.exe to the root of all available drives and shares as:

  • X:\autorun.inf (Windows autorun config file)
  • X:\setup.exe (W32/Cekar)

(Where X: is the drive letter of the hard drive, removable media or network drive).

It can also contact the following site(s) to upload stolen data or download further malware:

  • tx.993311.com
  • mm.21380.com
  • 5y5.us
  • 35561.com

Downloaded files are stored in the following path(s):

  • %Windir%\System\System32.vxd

The list of files probed across shares may be stored in

  • %Windir%\System\MCIWACE.INC

At the time of writing, these malicious sites were unavailable.

 

 

Symptoms

Symptoms -

  • Presence of the mentioned file(s).
  • Presence of setup.exe in the root of local drives, removable drives or network shares
  • Increase in size of EXE files
  • Some executable files may cease to run properly
  • Increase in disk activity (read and write)

 

Method of Infection

Method of Infection -

W32/Cekar is a file infecting virus.  Infection starts with manual execution of the binary. 

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A