McAfee > Theat Center > Virus Detail Page

Overview

This description is for a network aware worm which attempts to replicate across existing networks.

The characteristics of this worm in regards to file names, folders created etc. will differ from one version to another. Hence, this is a general description.

Aliases

• Email-Worm.Win32.VB.bf [Kaspersky]

• W32.Traxg@mm [Symantec]

• W32/Traxg-Fam [Sophos]

• Win32.Traxg.S@mm [BitDefender]

• Worm.Wukill.k [Rising]

Characteristics

When executed, this worm drops a copy of itself in the following folder:

• %System%\Fonts\27DE5.com [File name used is random]

Note:

• %System% refers to the windows system folder

It then creates the following registry entry to ensure its execution at system startup:

• Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run
  TempCom = "%FontsDir%\27DE5.com"
  

Symptoms

• Presence of files and registry entries mentioned earlier
• Increased network traffic due to emails sent.
  

Method of Infection

This worm searches for contacts in the Microsoft address book and sends a copy of itself to these contacts.

The worm may also spread manually, under the premise that the executable is something beneficial,  or may also be received as a result of poor security practices, or un-patched machines and vulnerable systems.

Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This description is for a network aware worm which attempts to replicate across existing networks.

The characteristics of this worm in regards to file names, folders created etc. will differ from one version to another. Hence, this is a general description.

Aliases

• Email-Worm.Win32.VB.bf [Kaspersky]

• W32.Traxg@mm [Symantec]

• W32/Traxg-Fam [Sophos]

• Win32.Traxg.S@mm [BitDefender]

• Worm.Wukill.k [Rising]

Characteristics

Characteristics -

When executed, this worm drops a copy of itself in the following folder:

• %System%\Fonts\27DE5.com [File name used is random]

Note:

• %System% refers to the windows system folder

It then creates the following registry entry to ensure its execution at system startup:

• Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run
  TempCom = "%FontsDir%\27DE5.com"
  

Symptoms

Symptoms -

• Presence of files and registry entries mentioned earlier
• Increased network traffic due to emails sent.
  

Method of Infection

Method of Infection -

This worm searches for contacts in the Microsoft address book and sends a copy of itself to these contacts.

The worm may also spread manually, under the premise that the executable is something beneficial,  or may also be received as a result of poor security practices, or un-patched machines and vulnerable systems.

Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A