W32/Wecorl.a, a New PC Virus

Security researchers have discovered a new type of PC virus, which launches malicious content from a distantly located Server Service and abuses the latter's vulnerability as well so as to contaminate the target machine, as per the news published by 24 World News on April 22, 2010.

Named W32/Wecorl.a, the PC worm generates an error message called Dcom Server Process Launcher Terminated Unexpectedly. Currently, this message is appearing all over the Internet.

Internet Security Software Company McAfee says that W32/Wecorl is a virus which can propagate by exploiting a bug in Server Service (MS08-067), as per the news published by 24 World News on April 22, 2010.

Reportedly, the worm spreads infection by using a large number of security flaws afflicting the Internet. After it successfully plants itself on a user's PC, it executes truly disturbing and malicious content pulled down from a different server, which already tries to transmit the material to that PC.
The virus spreads incredibly fast, and during the process it erases files it automatically creates along with others saved on the affected PC. To escape detection and removal, it even uses the method of duplicating itself. So, once on a PC, W32/Wecorl.a replicates itself onto the &Temp%\Install.2008.dat location that causes difficulty in deleting it.

The worm also erases the %WINDIR%\system32\dllcache\svchost.exe file as well as modifies %WINDIR%|system32\svchost.exe. Alongside, it makes a presence within the registry by creating a pair of entries called HKEY_LOCAL_MACHINESOFTWARELicenses 00:00:00:00:00:00 = [Hexadecimal Data] and HKEY_LOCAL_MACHINESOFTWAREGoogle 00:00:00:00:00:00 = [Hexadecimal Data].

Worryingly, one can be in great danger of the virus as when it links up with the distantly located servers, its controller modifies those servers, so that anything he wishes can then be pulled down on the affected machine.

Security experts, commenting on the problem, stated that an end-user can easily detect the virus on his PC by checking the keys already mentioned earlier within his registry. If the keys are present, it would suggest that his system is infected. The registry can be opened by pressing Start + R, typing 'regedit', and then pressing Enter.

Furthermore, the researchers added that in case an installed AV solution does not function, users must install their latest operating system.

Related article: WoW – A Current Popular Target for Identity Thieves

» SPAMfighter News - 01-05-2010

3 simple steps to update drivers on your Windows PCSlow PC? Optimize your Slow PC with SLOW-PCfighter!Email Cluttered with Spam? Free Spam Filter!

Exchange Anti Spam Filter
Go back to previous page
Next