Wecykler is a family of worms, that shares some similarities with the Worm:Win32/Autorun family, in that it takes advantage of removable drives attached to an infected system in order to propagate to other machines. They target users’ familiarity with the content of drives (files and directories) disguising as directories with existing and catchy names while hiding the original, for example:
Figure 1. Image of files detected as Wecykler disguised as existing directories
Below are filenames observed in the wild used by Wecykler; take note of the spaces before the file extension, this, together with the use of a folder icon and registry modification to hide file extension, gives it more chance to be clicked by users.
-
RECYCLER .exe
-
New Folder .exe
-
DrivesGuideInfo .exe
-
New Folder (2) .exe
-
DCIM .exe
-
Autorun.inf .exe
-
Images .exe
The Worm:Win32/Wecykler family is capable of performing the following:
-
Saves malware components in the Recycler folder
-
Terminates system and security related processes
-
Logs keystrokes feature
For more information please visit the Win32/Wecykler description.
We recommend using a complete antivirus solution to thwart this, and similar threats. Microsoft Security Essentials detects and removes Wecykler, and of course a range of other malware and potentially unwanted software.