Content
W32/Semisoft.58368d
- Type
- Virus
- SubType
- File Infector
- Discovery Date
- 01/24/2001
- Length
- 58368
- Minimum DAT
- 4118 (01/31/2001)
- Updated DAT
- 4118 (01/31/2001)
- Minimum Engine
- 5.1.00
- Description Added
- 11/30/2001
- Description Modified
- 01/24/2001 12:00 AM (PT)
Tab Navigation
Characteristics
This Worm affects Windows 32-bit platforms and contains specific code to deal with both Windows NTand other Windows 32-bit operating systems.
When the worm is first executed it immediately drops a copy of itself called "winipx.exe" in the Windows or Windows NT directory. It also modifies the registry to run this copy on each system startup by adding itself to the one of the following keys: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
or
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Upon the next startup, the virus drops another copy of itself called "winsrvc.exe" in the windows directory and launches this copy as a process. This will appear in the tasklist as "winsrvc.exe."
After some delay the virus "pings" an IP address in New Zealand.
This worm also contains the icon for Notepad, therefore, the two files in the Windows directory will appear with that icon displayed.
The worm is written in Visual C++ and contains the copyright notice and error messages from that compiler as well as the normal import names.
This variant of the W32/SemiSoft family is 58,368 bytes in size and contains the following unique set of texts:
RASMIN.EXE
WSPOOL.EXE
WINSRVC.EXE
WINIPX.EXE
RASMIN.exe
UPGRADE.EXE
E27.3
c:\testexe.exe
\IDENT.TXT
CONNECT TO
#32770
\WINPHONE.DAT
Symptoms
Method of Infection
Removal
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner such as:
Variants
Variants
N/A
All Information
Overview -
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Aliases
- TROJ_RASMIN.B (Trend)
- W32.HLLP.Semisoft.L (NAV)
- W32/HLLP.Semisoft.I (Panda)
- W32/Semisoft-L (Sophos)
- Win32.HLLP.Semisoft.l (AVP)
Characteristics
Characteristics -
This Worm affects Windows 32-bit platforms and contains specific code to deal with both Windows NTand other Windows 32-bit operating systems.
When the worm is first executed it immediately drops a copy of itself called "winipx.exe" in the Windows or Windows NT directory. It also modifies the registry to run this copy on each system startup by adding itself to the one of the following keys: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
or
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Upon the next startup, the virus drops another copy of itself called "winsrvc.exe" in the windows directory and launches this copy as a process. This will appear in the tasklist as "winsrvc.exe."
After some delay the virus "pings" an IP address in New Zealand.
This worm also contains the icon for Notepad, therefore, the two files in the Windows directory will appear with that icon displayed.
The worm is written in Visual C++ and contains the copyright notice and error messages from that compiler as well as the normal import names.
This variant of the W32/SemiSoft family is 58,368 bytes in size and contains the following unique set of texts:
RASMIN.EXE
WSPOOL.EXE
WINSRVC.EXE
WINIPX.EXE
RASMIN.exe
UPGRADE.EXE
E27.3
c:\testexe.exe
\IDENT.TXT
CONNECT TO
#32770
\WINPHONE.DAT
Symptoms
Symptoms -
Method of Infection
Method of Infection -
Removal -
Removal -
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner such as:
Variants
Variants -
N/A
