Aliases: N/A
Variants: N/A

Classification: Malware
Category: Computer Virus

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 28 Feb 2006
Damage: Medium

Characteristics: The W32.Snow.A application is a virus that contaminates executable files and tries to utilize the compromised PC to open an ARP poisoning attack.

More details about W32.Snow.A

The W32.Snow.A program is a virus that contaminates executable or .exe files and tries to utilize the computer system to open an ARP poisoning attack. When the W32.Snow.A virus is opened, it makes “%Windir%ctfmon.exe”, which is the viral part of the virus. Take note that the name of the file is selected in its attempt to puzzle the user, as it is similar as the legal Windows “ctfmon.exe” file, which is usually found in the “%System%” folder. The “%Windir%” is a variable that submits to the folder of Windows installation. By default, this “C:Winnt (Windows NT/2000)” or “:Windows (Windows 95/98/Me/XP)”. The W32.Snow.A program makes the “%Windir%packet.dll”, “%Windir%pthreadvc.dll”, “%Windir%wpcap.dll”, and “%Windir%system32drivers pf.sys” legitimate files, which are the driver of the network for the WinPcap network monitoring software.

The W32.Snow.A adds the value "CTFMON.EXE" = "%Windir%ctfmon.exe" to the registry , so that it opens when the Windows starts. The virus makes a registry key, under which it will make registry entries to locate its progress in the computer system. The virus then enumerates the processes and tries to contaminate .exe or executable files that are running by adding its viral code at the end of the file. The virus will subsequently try to contaminate all the .exe files it finds on both network and local drives.