Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Short description
Win32/Drowor.A is a file infector.
When executed, the virus copies itself into the:
  • %windir%\system\
folder with the following file names:
  • internat.exe (30001 B)
  • internat.exe.tmp (30001 B)
The following file is dropped into the C:\ folder:
  • (30001 B)
The file is then executed.
Executable files infection
The virus searches local and network drives for files with one of the following extensions:
  • .exe
Files are infected by adding a new section that contains the virus .

The host file is modified in a way that causes the virus to be executed prior to running the original code. Size of the code inserted is 30986 B .

It avoids files which contain any of the following strings in their path:
  • System Volume Information
  • Recycled
The virus avoids infecting files with name containing any of the following strings:
  • KartRider.exe
  • NMService.exe
  • patchupdate.exe
  • ztconfig.exe
  • wool.exe
The virus copies itself into the root folders of local and remote drives.

If successful the following filename is used:
  • setup.exe
The following file is dropped in the same folder:
  • autorun.inf
Thus, the virus ensures it is started each time infected media is inserted into the computer.
Other information
The virus creates the following files:
  • %windir%\win.log
The virus tries to download several files from the Internet. The virus contains a list of (1) URLs.

The HTTP protocol is used. These are stored in the following locations:
  • %windir%\system\SYSTEM32.tmp
  • %windir%\system\SYSTEM32.vxd
The files are then executed.

If the virus is running in a debugger all running processes are terminated.