McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• PE_RUNDOOM.A-0 (Trend)

• W32/Napp (Panda)

Characteristics

This is a network-aware file virus. When a worm file is run, an error message is displayed:

When an infected executable file is run, this error message does not occur.

When this worm is run on Win9x/ME systems, it does not act as a file-infector. On WinNT/2k/XP it searches for MP3 and EXE files to infect.

Win9x/ME:

This worm copies itself as "C:\Win32napp.exe" and as ".exe" in the path where it was first run. It also creates the following registry entry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
win32napp = "C:\win32napp.exe -e"

WinNT/2K/XP:

This worm will copy itself as "C:\Win32napp.exe" and creates a registry entry as on Win9x/ME. It also searches for EXE and MP3 files to infect. With most executable files, the virus will prepend itself to the host file. In these files the following string can be found:
"---DEVILSTILLSMELLSME---"

With MP3 files and some EXE files the virus will copy itself with the same file name as another file already on the system, but with an extra .EXE appended. For example, if a file exists on the system named Filename.mp3, the worm will copy itself as Filename.mp3.exe. The original file may or may not be deleted after this.

To spread itself further, on all shared drives available to an infected system, the worm will copy itself as "Setup.exe".

As files are infected, their icon will change to that of the worm:

Symptoms

Presence of the files and registry entries as refrenced above
Files' icons changing to the icon above
Unexplained error messages as pictured above

Method of Infection

This worm spreads by infecting files and copying itself to any drives which are shared to an infected system.

Removal

All Users:
Use current engine and DAT files for detection. Replace files not cleaned with backup copies.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• PE_RUNDOOM.A-0 (Trend)

• W32/Napp (Panda)

Characteristics

Characteristics -

This is a network-aware file virus. When a worm file is run, an error message is displayed:

When an infected executable file is run, this error message does not occur.

When this worm is run on Win9x/ME systems, it does not act as a file-infector. On WinNT/2k/XP it searches for MP3 and EXE files to infect.

Win9x/ME:

This worm copies itself as "C:\Win32napp.exe" and as ".exe" in the path where it was first run. It also creates the following registry entry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
win32napp = "C:\win32napp.exe -e"

WinNT/2K/XP:

This worm will copy itself as "C:\Win32napp.exe" and creates a registry entry as on Win9x/ME. It also searches for EXE and MP3 files to infect. With most executable files, the virus will prepend itself to the host file. In these files the following string can be found:
"---DEVILSTILLSMELLSME---"

With MP3 files and some EXE files the virus will copy itself with the same file name as another file already on the system, but with an extra .EXE appended. For example, if a file exists on the system named Filename.mp3, the worm will copy itself as Filename.mp3.exe. The original file may or may not be deleted after this.

To spread itself further, on all shared drives available to an infected system, the worm will copy itself as "Setup.exe".

As files are infected, their icon will change to that of the worm:

Symptoms

Symptoms -

Presence of the files and registry entries as refrenced above
Files' icons changing to the icon above
Unexplained error messages as pictured above

Method of Infection

Method of Infection -

This worm spreads by infecting files and copying itself to any drives which are shared to an infected system.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection. Replace files not cleaned with backup copies.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A