W32.Amirecivel

Printer Friendly Page

Discovered: May 04, 2006
Updated: May 04, 2006 10:35:26 AM
Systems Affected: Windows

W32.Amirecivel is a worm that attempts to spread via the Kazaa file-sharing network and hides security-related windows.

Antivirus Protection Dates

  • Initial Rapid Release version May 04, 2006
  • Latest Rapid Release version October 13, 2010 revision 004
  • Initial Daily Certified version May 04, 2006
  • Latest Daily Certified version October 13, 2010 revision 002
  • Initial Weekly Certified release date May 10, 2006

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Writeup By: Hatsuho Honda

Discovered: May 04, 2006
Updated: May 04, 2006 10:35:26 AM
Systems Affected: Windows

W32.Amirecivel is a worm that attempts to spread via the Kazaa file-sharing network and hides security-related windows.

Once executed, the worm copies itself as the following files:
%System%\svchot.exe
C:\Program Files\Kazaa\My Shared Folder\kaza.cmd
C:\Program Files\Kazaa\My Shared Folder\iraq.pic.scr
C:\Program Files\Kazaa\My Shared Folder\CIVIL.exe
D:\amir_civil.cmd
D:\SCREEN_SAVER.scr
D:\SCREEN_SAVER2.scr
D:\Program Files\Kazaa\My Shared Folder\iran.pic.pif
E:\002.pic.pif
E:\amir_civil.scr
F:\amir_civil3.scr
E:\cool.pic.scr
E:\winx32.pif
F:\iran.scr
F:\iran_02.scr
G:\amir_civil.cmd
G:\anti_virus(norton).doc.cmd

The worm searches all folders and subfolders under the C: drive. If it finds any folder which contains an "r" in the path, then it copies itself as the following file:
%CurrentFolder%\project2.exe

The worm creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"amircivil" = "%System%\svchot.exe..."

The worm creates the following registry subkey:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\amir_civil

The worm hides windows with the following class names, some of which are windows for security-related programs:
NAVAP Wnd Class
MGHTML_DLG_CLASS
#32770
ConsoleWindowClass
notepad

The worm then restarts the computer.


Writeup By: Hatsuho Honda