RSS Feed
10:12 AM
Admin
W32/Wecorl
Type
Virus
SubType
Worm
Discovery Date
11/04/2008
Length
varies
Minimum DAT
5425 (11/05/2008)
Updated DAT
5430 (11/10/2008)
Minimum Engine
5.2.00
Description Added
11/04/2008
Description Modified
11/04/2008 8:56 AM (PT)
Type
Type of threat.
SubType
Additional type information.
Discovery Date
Date that AVERT discovered this threat.
Length
File size, in bytes, of the threat.
Minimum DAT
McAfee DAT files contain detection and repair information for threats. The Minimum DAT field specifies the lowest/oldest DAT version that is capable of detecting the first incarnation of a threat, and the release date. The highest/newest DAT version should always be used for the most complete protection and are available on the Anti-Virus Updates page.
Each description displays the minimum, fully tested, DAT version that includes regular detection for a particular threat. These fully tested DATs are released on a daily basis. If necessary, they are also released when a Medium, Medium On Watch, or High risk threat is discovered. An EXTRA.DAT will also be posted for these more prevalent threats, if necessary.
For each description listed, detection is always available. In the event that the DAT version specified is not yet available, an EXTRA.DAT file may be downloaded via the McAfee AVERT Extra.dat Request Page. Alternatively, minimally tested HOURLY BETA DAT files are available for downloading.
Updated DAT
McAfee DAT files are constantly being updated to enhance detection capabilities. The Updated DAT field specifies the released DAT version that contains the most up to date detection.
Minimum Engine
The scan engine uses the DAT files to detect threats. The Minimum Engine field specifies the lowest/oldest engine version that is capable of detecting this threat. The highest/newest engine version should always be used for the most complete protection and are available on the Anti-Virus Updates page.
Description Added
Date/time this description was published using Pacific Time.
Description Modified
Date/time this description was last modified using Pacific Time.
Risk Assessment
Corporate User
Low
Home User
Low
Tab Navigation
Overview -
W32/Wecorl is a worm which spreads itself by exploiting a Vulnerability in Server Service (ms08-067). This worm is also designed to silently download and execute malicious content from a remote server.Aliases
- W32.Wecorl (Symantec)
Characteristics
Characteristics -
W32/Wecorl is a worm which spreads itself by exploiting a Vulnerability in Server Service (ms08-067). This worm is also designed to silently download and execute malicious content from a remote server.When the executable is run on the victim machine, the worm copies itself to the following location.
- %Temp%\Install.2008.dat
- %WINDIR%\system32\dllcache\svchost.exe
- %WINDIR%\system32\svchost.exe
The following entries are created in the registry
- HKEY_LOCAL_MACHINE\SOFTWARE\Google
00:00:00:00:00:00 = [Hexadecimal Data] - HKEY_LOCAL_MACHINE\SOFTWARE\Licenses
00:00:00:00:00:00 = [Hexadecimal Data]
The worm connects to the following domains and downloads additional malware
- http://ce1.10w[blocked].com
- http://ls.playswo[blocked].com
Note: As the website being communicated is normally controlled by the malware author, any files being downloaded can be remotely modified and the behavior of these new binaries altered - possibly with every user infection.
Symptoms
Symptoms -
- Existence of the Registry key described above
- Outgoing HTTP traffic to the domains mentioned above
Method of Infection
Method of Infection -
Removal -
Removal -
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.Additional Windows ME/XP removal considerations
Tags: w32/wecorl.a, wecorl.a, svchost.exe virus, dcom server process launcher terminated unexpectedly, mcafee, svchost.exe
Posted in 
No Response to "w32/wecorl.a"
Post a Comment
We love to hear from you! Leave us a comment.