McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32.Vapir

Characteristics

W32/Vampiro is a memory resident polymorphic virus. Hereafter described, the 7018 variant uses entry-point obfuscating techniques.

On first infection, when an infected file is run, the virus drops the file WDD.EXE in the WINDOWS system directory. It creates a registry key run to load the virus at startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Vampiro = c:\windows\system32\wdd.exe

Once running in memory, the virus slowly traverses through all directories infecting PE EXE Win32 files.

The WDD.EXE file size is variable, but approximately 15Kbytes.

An older W32/Vampiro variant (W32/Vampiro.2883) was discovered in October 2000, but is not known to be in the field.

Symptoms

Presence of the file WDD.EXE and registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Vampiro = c:\windows\system32\wdd.exe

Method of Infection

Running an infected file infects your machine.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32.Vapir

Characteristics

Characteristics -

W32/Vampiro is a memory resident polymorphic virus. Hereafter described, the 7018 variant uses entry-point obfuscating techniques.

On first infection, when an infected file is run, the virus drops the file WDD.EXE in the WINDOWS system directory. It creates a registry key run to load the virus at startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Vampiro = c:\windows\system32\wdd.exe

Once running in memory, the virus slowly traverses through all directories infecting PE EXE Win32 files.

The WDD.EXE file size is variable, but approximately 15Kbytes.

An older W32/Vampiro variant (W32/Vampiro.2883) was discovered in October 2000, but is not known to be in the field.

Symptoms

Symptoms -

Presence of the file WDD.EXE and registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Vampiro = c:\windows\system32\wdd.exe

Method of Infection

Method of Infection -

Running an infected file infects your machine.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A