Topic: W32/Cekar

[Amker]

W32/Cekar is a file infecting worm. It searches for executable files on the infected machine, removable media and mounted network drives to append its viral code. It can also be monitoring and stealing passwords from QQ, a popular Instant Messenging application in China.
Aliases
W32.Jacksuf.A (Symantec)
Characteristics -


W32/Cekar is a file infecting worm. It searches for executable files on the infected machine, removable media and mounted network drives to append its viral code. It can also be monitoring and stealing passwords from QQ, a popular Instant Messenging application in China.

On execution, the infected files drops and executes a copy of its propagation component into one of the the following path(s):
%Windir%\system\internat.exe
%Windir%\system\conime.exe

(Where %Windir% is the Windows folder; e.g. C:\Windows)

This worm tries to copy itself as setup.exe to the root of all available drives and shares as:
X:\autorun.inf (Windows autorun config file)
X:\setup.exe (W32/Cekar)

(Where X: is the drive letter of the hard drive, removable media or network drive).

It can also contact the following site(s) to upload stolen data or download further malware:
tx.993311.com
mm.21380.com
5y5.us
35561.com

Downloaded files are stored in the following path(s):
%Windir%\System\System32.vxd

The list of files probed across shares may be stored in
%Windir%\System\MCIWACE.INC

At the time of writing, these malicious sites were unavailable.

 
Symptoms -

Presence of the mentioned file(s).
Presence of setup.exe in the root of local drives, removable drives or network shares
Increase in size of EXE files
Some executable files may cease to run properly
Increase in disk activity (read and write)

 
Method of Infection -

W32/Cekar is a file infecting virus.  Infection starts with manual execution of the binary.
Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

McAfee