Risk Assessment | |
| - Home Users: | Low |
| - Corporate Users: | Low |
| Date Discovered: | 6/18/2007 |
| Date Added: | 6/18/2007 |
| Origin: | N/A |
| Length: | N/A |
| Type: | Virus |
| SubType: | Win32 |
| DAT Required: | 5055 |
Virus Characteristics
W32/Naplik.a is an appending virus for the Windows platform. This file infector infects .EXE files by copying its code to the end of the file, in a new section ".k0kus" and the file's entry point is modified to point to the virus code. (Note: The virus did not replicate when we test it).
Upon execution, it injects its dll routine "VirusBoot.dll" into explorer.exe, which is in charge of the infection.
It also contacts three different pages from the following website:
http://www.aabbcc.us/sys/lm/
- to download an eventual update of the virus (the downloaded updates are stored in %Sysdir%\svchost.exe.)
- to report that a machine has been infected
- to send information collected from the machine.
Note: this virus is currently being investigated and more information will probably come later.
Indications of Infection
- Attempts to connect to www.aabbcc.us
- Increase the size of EXE files
Method of Infection
W32/Naplik.a is a file infecting virus. Infection starts with manual execution of the binary.
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
Aliases
W32.Naplik (NAV)