Aliases: Etapux, W32/Etap.d, Win32/Linux.Etap, W32/Etap-A, Win32/Etapux.dr
Variants: PE_ETAPx, W32/Etap, W32/Etap, Win32:Simile, Win32.Etap.Gen

Classification: Malware
Category: Computer Virus

Status: Inactive
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 06 Mar 2002
Damage: Low

Characteristics: The W32.Simile application is a complex virus that utilizes entry-point obscuring, polymorphic decryption, and metamorphism. It contaminates files in folders on all remote and fixed drives that are located at the time that the virus is opened. The virus has no destructive load, but infected data may show messages on specific dates.

More details about W32.Simile

The W32.Simile is a difficult virus that utilizes metamorphism, entry-point obscuring, and polymorphic decryption. The worm contaminates files in directories on all remote and fixed drives that are used at the moment that the virus is opened. The virus has no destructive payload, but contaminated files may show messages on particular dates. When the virus is executed, it verifies the present date. If the host file (the file that’s infected w/ the virus) introduces the Windows file “User32.dll”, then on the 17th of June, March, December, or September, a message is shown. For every file that’s found, there is a 50% chance that it will be disregarded.

Files wouldn’t be contaminated if they start w/ “F-“, “PA”, “SC”, “DR”, and “NO”, or if the letter V shows anywhere in the filename. Because of the way in which the filename matching is done, filenames with specific characteristics, for instance, those that start with FM or has the 6 are not infected as well. The W32.Simile virus has a lot of other checks to prevent from infecting “goat” files (goat files are files that are commonly utilized to get viruses). The process of infection utilizes the structure of the host, and random factors, to manage the placement of the decryptor and the virus body. This malware may also be capable of detecting and infecting all SCR and EXE files on the infected machine. It was speculated that this malware variant is also capable of bypassing network security protocol to initiate the same function in other terminals within a local area network (LAN).