This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
4534 (2005-07-13)Updated DAT
This detection covers a parasitic worm virus that spreads to both host executables as well as over accessible systems on a network. The worm also downloads and executes other files.
When run, the worm infects .EXE files on the local system, appending itself to host files. 10 threads are created to search for infectable computers on the Internet, SYN packets are sent to random IP addresses on TCP 139 (netbios). The worm then attempts to connect to responding systems via the IPC$ and open shares to parasitically infect files remotely.
The worm also attempts to download and execute a file name dl.exe from utenti.lycos.it . At the time of this writing the site was not responding. However, the virus was known to fetch a downloader trojan, Downloader-ACX, which downloaded two other files:
- Excessive netbios traffic emanating from infected system
- Presence of DL.EXE, GAELICUM.EXE, and CBACK.EXE
The virus does not create any registry keys or in any other way "install" itself to automatically start on system reboot.
This virus spreads via accessible network shares and by parasitically infecting existng executable files.
Use current engine and DAT files for detection and removal.
Close the shares created by this threat: