McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32.Datom.Worm (NAV)

• Win32.Datom (CAI)

• Worm.Win32.Datom (AVP)

Characteristics

--- Update July 12, 2002 ---
The risk assessment of this threat was changed to Low-Profiled as this worm has had some media attention.

This worm arrives as one .exe and two .dll files:

MSVXD32.DLL
MSVXD16.DLL
MSVXD.EXE.

These files are copied to the %Windir% folder

Two techniques are used to ensure that it is run on subsequent system startups. The worm looks for the Start Menu startup directory and tries to create a link to itself called "VxD Manager". The following registry entry is also created:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\_
Run ="MSVXD" %WinDir%\MSVXD.EXE 1632

The version information in the files' properties is used to camouflage its true intentions:

Description: Windows VxD integrity check
Copyright: Copyright (C) Microsoft Corp. 1995
Company Name: Microsoft Corporation
Product Name: Microsoft® VxD

This worm does not have a damaging payload, it only spreads via shared drives.

Symptoms

• Presence of the file %WinDir%\MSVXD.EXE
  
• Presence of the file %WinDir%\MSVXD32.DLL
  
• Presence of the file %WinDir%\MSVXD16.DLL
• Disables Zone Alarm by terminating its processes

Method of Infection

This worm spreads through open shares

Removal

Use specified engine and DAT files for detection and removal. Delete files found to contain this detection.

As this threat seeks open shares, turn off full share to your system. If you have to use shares, use password protection to avoid being a future target.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32.Datom.Worm (NAV)

• Win32.Datom (CAI)

• Worm.Win32.Datom (AVP)

Characteristics

Characteristics -

--- Update July 12, 2002 ---
The risk assessment of this threat was changed to Low-Profiled as this worm has had some media attention.

This worm arrives as one .exe and two .dll files:

MSVXD32.DLL
MSVXD16.DLL
MSVXD.EXE.

These files are copied to the %Windir% folder

Two techniques are used to ensure that it is run on subsequent system startups. The worm looks for the Start Menu startup directory and tries to create a link to itself called "VxD Manager". The following registry entry is also created:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\_
Run ="MSVXD" %WinDir%\MSVXD.EXE 1632

The version information in the files' properties is used to camouflage its true intentions:

Description: Windows VxD integrity check
Copyright: Copyright (C) Microsoft Corp. 1995
Company Name: Microsoft Corporation
Product Name: Microsoft® VxD

This worm does not have a damaging payload, it only spreads via shared drives.

Symptoms

Symptoms -

• Presence of the file %WinDir%\MSVXD.EXE
  
• Presence of the file %WinDir%\MSVXD32.DLL
  
• Presence of the file %WinDir%\MSVXD16.DLL
• Disables Zone Alarm by terminating its processes

Method of Infection

Method of Infection -

This worm spreads through open shares

Removal -

Removal -

Use specified engine and DAT files for detection and removal. Delete files found to contain this detection.

As this threat seeks open shares, turn off full share to your system. If you have to use shares, use password protection to avoid being a future target.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A