Category: Computer Worm
Active & Spreading
Asia, North and South America, and some parts of Europe and Australia
23 Oct 2007
The W32.usbwatch application can spread through replicating itself to removable drives and mapped. It takes user passwords and configuration information from a computer that is copromised. When this worm executes it will create some files and then creates and modifies some registry entries.
W32.Usbwatch Removal Tool
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean W32.Usbwatch from your computer.
More details about W32.Usbwatch
This worm collects the information of the hard disk together with the capacity of the disk and the free space, variables that are recent environment on the computer, recently running processes, names of the user accounts, and the listing of the files, any of them, from the Drive C through the Drive H having .doc, .xls, .pdf, .ppt, .lnk extension. The worm also collects information of network configuration from the computer that is compromised. These configurations comprises the Internet proxy settings, Domain Name, ARP table entries, Host name, Local DNS server addresses, IP address, and Gateway address. Also the worm steals information from the PStore. This information is the passwords on the MSN Explorer, passwords on the Outlook Express, Internet Explorer Auto-Complete, and the passwords of the Internet Explorer for the sites of password-protected.
When the W32.Usbwatch was performed, the worm will generate files such as the %DriveLetter%\Autorun.inf, %UserProfile%\Local Settings\Temp\devwinmgmt.msc, %DriveLetter%\vmc[THREE RANDOM LETTERS].exe, %UserProfile%\Temp\getself.bat, %CurrentFolder%\svchost2.exe, %CurrentFolder%\explore.exe, %CurrentFolder%\svchost.exe, and %CurrentFolder%\wauclt.exe. Thyen the worm generates entries of the registry and then modifies it after creating these entries. The worm will then generate USBWATCHPR01, a particular mutex, so that the copy of the worm runs only on the computer that was compromised. The worm also generates a file so it performs whenever drive is being run. The harvested information was saved to particular locations. The worm also collects the information from the computer that was being compromised.