Win32/Afgan [Threat Name] go to Threat

Win32/Afgan.A [Threat Variant Name]

Category virus
Detection created May 27, 2008
Detection database version 3135
Aliases Virus.Win32.Afgan.a (Kaspersky)
  Virus:Win32/Afgar.A (Microsoft)
  Win32.Kolumb.2 (Dr.Web)
Short description

Win32/Afgan.A is a file infector.


When executed, the virus drops one of the following files in the %temp% folder:

  • $.$ (24864 B)

The virus creates and runs a new thread with its own program code within the following processes:

  • %windir%\­explorer.exe
Executable file infection

The virus searches local and network drives for files with one of the following extensions:

  • .exe

Executables are infected by appending the code of the virus to the last section.

The host file is modified in a way that causes the virus to be executed prior to running the original code.

The virus avoids infecting files which contain one of the following strings in their file name:

  • ntoskrnl.exe
  • ntkrnlpa.exe
  • fsquirt.exe
  • fpcount.exe
  • totalcmd.exe
Other information

The virus tries to download and execute several files from the Internet. The virus contains a list of (8) URLs.

The files are saved into the following folder:

  • %temp%

The following filename is used:

  • iexplorer.exe

The virus may create copies of the following files (source, destination):

  • %windir%\­explorer.exe, %temp%\­exp1orer.exe

Please enable Javascript to ensure correct displaying of this content and refresh this page.