Win32/Drowor [Threat Name] go to Threat

Win32/Drowor.A [Threat Variant Name]

Category virus
Size 30986 B
Aliases Virus.Win32.Drowor.a (Kaspersky)
  W32.Jacksuf.A (Symantec)
  W32/Cekar.virus (McAfee)
Short description

Win32/Drowor.A is a file infector.


When executed, the virus copies itself into the folder:

  • %windir%\­system\­

with the following file names:

  • internat.exe (30001 B)
  • internat.exe.tmp (30001 B)

The following file is dropped into the C:\ folder:

  • (30001 B)

The file is then executed.

Executable file infection

The virus searches local and network drives for files with one of the following extensions:

  • .exe

Files are infected by adding a new section that contains the virus .

The host file is modified in a way that causes the virus to be executed prior to running the original code. The size of the inserted code is 30986 B .

It avoids files which contain any of the following strings in their path:

  • System Volume Information
  • Recycled

The virus avoids infecting files which contain one of the following strings in their file name:

  • KartRider.exe
  • NMService.exe
  • patchupdate.exe
  • ztconfig.exe
  • wool.exe
  • QQ.exe
  • TM.exe
  • CA.exe

The virus copies itself into the root folders of local and remote drives.

The following filename is used:

  • setup.exe

The following file is dropped in the same folder:

  • autorun.inf

Thus, the virus ensures it is started each time infected media is inserted into the computer.

Other information

The virus creates the following files:

  • %windir%\­win.log

The virus tries to download several files from the Internet.

The virus contains a list of (1) URLs. The HTTP protocol is used.

These are stored in the following locations:

  • %windir%\­system\­SYSTEM32.tmp
  • %windir%\­system\­SYSTEM32.vxd

The files are then executed.

If the virus is running in a debugger all running processes are terminated.

Please enable Javascript to ensure correct displaying of this content and refresh this page.