Aliases: N/A
Variants: N/A

Classification: Malware
Category: Computer Virus

Status: Active & Spreading
Spreading: Moderate
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 09 Jun 2007
Damage: Medium

Characteristics: The W32.Rosserag is a virus that contaminates executable files and tries to download other malicious files.

More details about W32.Rosserag

Once the W32.Rosserag virus is opened, the virus drops the following file w/ the hidden quality set: “%CurrentFolder%\[SPACE][ORIGINAL FILE NAME]”. After that, the virus attaches its code to “iexplore.exe”. Then, the virus looks for and infects executable or .exe files on the drives D to Z, aside from the CD-ROM drive. The virus can also infect files w/ the following extensions into the drives D to Z, aside from the CD-ROM drive: “.htm”, “.html”, “.asp”, “.aspx”, “.php”, and “.jsp”. The virus then tries to get a file from a website and store it as “C:\NTDETECT.dll”. This computer worm may create some modification in the system configuration upon execution. It creates copies itself hidden in the system folder. It also adds new values to the Windows registry directory. This allows the program to run at every system boot.

Apparently, the W32.Rosserag program is a malicious software program that has the primary goal of opening backdoors in compromised computer systems. Once installed in the user’s computer, the application proceeds to drop copies of itself in the directory of Windows and register itself in the Windows startup. What follows is the malware connecting to the Internet once a pre-specified TCP port has been opened. The said operation facilitates the backdoor access of remote hackers. Upon establishing a connection to the Internet, the W32.Rosserag program supposedly sends a message via email to the remote intruder confirming that the targeted machine has already been successfully infected. The remote hacker is also referred to as the master that accesses the machine by employing the opened port. When the Windows Firewall has been disabled, the hacker then begins the manipulation of data and installation of other malicious software.