McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Business Home McAfee Labs Threat Intelligence

W32/Acinti.worm

This page shows details and results of our analysis on the malware W32/Acinti.worm

Threat Detail

Malware Type: Virus

Malware Sub-type: Floppy Worm

Discovery Date: 2002-11-11

Next Steps:

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.


Minimum DAT

4233 (2002-11-13)

Updated DAT

4296 (2003-10-01)

 Minimum Engine

5.1.00

File Length

45,056 bytes

Description Added

2002-11-11

Description Modified

2002-11-11

Malware Proliferation

Characteristics

This worm spreads via floppy diskette as Cintia.bmp.exe and uses an icon commonly associated with Microsoft Paint.

When run, it drops a bitmap image of Anna Kournikova on the root of the c: drive, C:\Cintia.bmp, and displays it.

The executable is copied to the WINDOWS SYSTEM (%SysDir%) directory as Kernel32.dll.exe and a registry run key is created to load the worm at startup:
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run "Kernell32" = C:\WINDOWS\SYSTEM\Kernel32.dll.exe
A 4-byte marker file is dropped, C:\Q.

After several minutes, the worm copies itself to the floppy drive, A:\Cintia.bmp.exe.

Symptoms

Presence of the following files:
  • C:\Q.
  • A:\Cintia.bmp.exe
  • C:\WINDOWS\SYSTEM\Kernel32.dll.exe

Method of Infection

This worm spreads via floppy diskettes. It does not carry any destructive payloads.

Removal

All Windows Users:
Use current engine and DAT files for detection and removal.

Manual Removal Instructions


Additional Windows ME/XP removal considerations

Variants

United States - English