Aliases: VBS.Welinf.A, Virus.W32.Welinf.A, Virus.Win32/Welinf.A, Win32.Welinf.A
Variants: W32/Welinf.A, Virus.W32/Welinf.A, Virus.Win32.Welinf.A, Win32/Welinf.A

Classification: Malware
Category: Computer Virus

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 28 Mar 2006
Damage: Medium

Characteristics: The W32.Welinf.A program is a virus that infects .htm, .vbs, and .html files with VBS.Welinf.A program. This threat has back door capabilities that allow unauthorized access to infected computer. This virus affects windows platform such as Windows 95, Windows 2000, Windows 98, Windows NT, Windows Me, Windows XP and Windows Server 2003.

More details about W32.Welinf.A

Once W32.Welinf.A is executed in your system it deletes all scheduled commands for execution in Task Scheduler. The virus is claimed to continuously check the running processes. When the Windows Task Manager is detected by it, it adds command to implement itself 2 minutes later, and then ceases itself. It as well finds for .vbs, .html and .htm files on drives from C to Z. The virus was also said to add value to the registry sub key so that it will automatically execute when the Windows starts. The file has been named iexplorer.exe. that attempts to open back-door on TCP port 23 and waits for commands from the remote attacker. If this happens, the remote attacker may download, copy, upload, and delete your files. It may also terminate processes, steal personal data including passwords, grabs screenshots, and can restart your computer.

The W32.Welinf.A application allows unauthorized remote users to create customized Hupigon program variants. The server it connects to may be specified. The components can be designed to mimic the icons and file names of legitimate software. It may be password protected so that only the developer can access it and send it commands. The W32.Welinf.A software places a copy of itself in the Windows directory. Other copies are also placed in hidden subfolders. This allows the application to remain in the system even when its other files have been deleted. The processes are added to the system registry. This makes sure the program can access computing resources and run on startup.