Aliases: Win32.Rotor.a, W32/Rotor.a, WIN.EXE.Virus, PE_ROTOR.A, Win32:Rotor,
Variants: Win32/Rotor.A, BehavesLike:Win32.ExplorerHijack, Suspect File, WIN32

Classification: Malware
Category: Computer Virus

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Hard
Platform: W32
Discovered: 31 Jul 2004
Damage: Medium

Characteristics: The W32.Rotor is a virus that adds itself to .scr and .exe files and has backdoor functionality.

More details about W32.Rotor

When a file contaminated with the W32.Rotor program is opened, the virus automatically looks for the files with .scr or .exe extensions on drives C to Z and network resources. The virus attacks a random number of data that it finds, adding itself in a section called “.txt”. Take note that the virus contaminates system files, skipping folders with names that begin w/ “WINN”, such as “WINNT” folder. The virus attaches a backdoor code to the “Progman.exe”, if it’s running. It also tries to contact a remote server on TCP port. If a connection is made, the virus runs a command shell on the computer. It controls the host file, enabling the .exe file to open.

The W32.Rotor program opens random ports in the computer without the knowledge of the user. Remote hackers may access the computer via the opened ports. The remote hacker may send additional programs via the opened port. The remote hacker may also utilize the connection to gather system information from the computer. This collected information may include processor type, operating system and free hard disk space. The remote user may also gather confidential files and information from the computer.