Wecykler is a family of worms, that shares some similarities with the Worm:Win32/Autorun family, in that it takes advantage of removable drives attached to an infected system in order to propagate to other machines. They target users’ familiarity with the content of drives (files and directories) disguising as directories with existing and catchy names while hiding the original, for example:

  • https://www.facebook.com/SNXTech
  • https://twitter.com/snxconsulting
  • https://www.linkedin.com/in/jftitan/
  • https://www.reddit.com/

Figure 1. Image of files detected as Wecykler disguised as existing directories

Below are filenames observed in the wild used by Wecykler; take note of the spaces before the file extension, this, together with the use of a folder icon and registry modification to hide file extension, gives it more chance to be clicked by users.

  • RECYCLER .exe
  • New Folder .exe
  • DrivesGuideInfo .exe
  • New Folder (2) .exe
  • DCIM .exe
  • Autorun.inf .exe
  • Images .exe

The Worm:Win32/Wecykler family is capable of performing the following:

  • Saves malware components in the Recycler folder
  • Terminates system and security related processes
  • Logs keystrokes feature

For more information please visit the Win32/Wecykler description.

We recommend using a complete antivirus solution to thwart this, and similar threats. Microsoft Security Essentials detects and removes Wecykler, and of course a range of other malware and potentially unwanted software.

  • https://www.facebook.com/SNXTech
  • https://twitter.com/snxconsulting
  • https://www.linkedin.com/in/jftitan/
  • https://www.reddit.com/

Joseph Forbes (684)

Information Technology Consultant. For SMB, SOHO, and Online business. From Computers to Telecommunications this guy has been into it since hippies made it hip. Drone Pilot and Tech Aficionado I get to travel the State of Texas to help businesses succeed.

Welcome to our site! Which clearly looks nice, but not quite complete let.  As we continue to get our website migrated to this new host why not join us?  We have a Newsletter we send out from time to time that is informative as to what services we offer, and any notifications on what is going on, in the cyberspace world!?