The Latest in IT Security

MSRT March ’13 – Wecykler


Wecykler is a family of worms, that shares some similarities with the Worm:Win32/Autorun family, in that it that takes advantage of removable drives attached to an infected system in order to propagate to other machines. They target users’ familiarity with the content of drives (files and directories) disguising as directories with existing and catchy names while hiding the original, for example:

Figure 1. Image of files detected as Wecykler disguised as existing directories

Below are filenames observed in the wild used by Wecykler; take note of the spaces before the file extension, this, together with the use of a folder icon and registry modification to hide file extension, gives it more chance to be clicked by users.

  • RECYCLER .exe
  • New Folder .exe
  • DrivesGuideInfo .exe
  • New Folder (2) .exe
  • DCIM .exe
  • Autorun.inf .exe
  • Images .exe

The Worm:Win32/Wecykler family is capable of performing the following:

  • Saves malware components in the Recycler folder
  • Terminates system and security related processes
  • Logs keystrokes feature

For more information please visit the Win32/Wecykler description. 

We recommend using a complete antivirus solution to thwart this, and similar threats. Microsoft Security Essentials detects and removes Wecykler, and of course a range of other malware and potentially unwanted software. 

Zarestel Ferrer
MMPC Melbourne

Leave a reply



Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments