Global sites
SolutionsProductsPurchaseDownloadPartnersSupportCompanyThreat Center
Threat CenterEset Online scannerESET SysInspectorThreatSense® ThreatSense.Net® Security TipsThreat LevelThreat Dictionary
Threat Encyclopaedia
Update infoVirus Radar on your Website
Antivirus Software NOD32 > Threat Center > Threat Encyclopaedia > A

Threat Encyclopaedia

Print this pageSend

Win32/Archivarius.A

Aliases:P2P-Worm.Win32.Archivarius.a (Kaspersky), Backdoor.Trojan (Symantec), Pakes trojan (McAfee) 
Type of infiltration:Worm 
Size:1470464 B 
Affected platforms:Microsoft Windows 
Signature database version:2892 (20080221) 

Short description
Win32/Archivarius.A is a worm that spreads via P2P networks. Win32/Archivarius.A installs a backdoor that can be controlled remotely. The file is run-time compressed using Armadillo .
Installation
When executed the worm copies itself in the following locations:
  • %system%\WinSecure.exe
  • %temp%\Installer-Crack-Keygen.exe
The following files are dropped :
  • %temp%\temp_01.exe (753664 B, Win32/Agent.ECD)
  • %system%\NTSpool.exe (753664 B, Win32/Agent.ECD)
The files are then executed.

In order to be executed on every system start, the worm sets the following Registry entry:
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Policies\Explorer\Run]
  • "Windows Security Tool" = "WinSecure.exe"
Spreading via P2P networks
The worm searches for shared folders of the following programs:
  • eMule
  • Kazaa
  • LimeWire
  • Shareaza
  • Ares P2P
  • Warez P2P
  • eDonkey2000
The following files may be dropped in the same folder:
  • .1Click DVD Copy Pro 3.1.2.8.rar
  • .2007 Power Point Viewer.rar
  • .321 XviD Converter 1.2.4.rar
  • .321 XviD Converter 1.3.4.rar
  • .3D Brush 2.03.SP2.rar
viac...
The archive contains an executable file. Name of the executable inside is the following:
  • Installer-Crack-Keygen.exe
Other information
The worm creates the following files:
  • %system%\rar.exe
  • %temp%\TEMP1.zip