W32.Antiqfx.worm or AntiQFX is a 32bit worm which requires a network connection to propagate.


AntiQFX is a 32bit worm which requires a network connection to propagate. It has been reported by at least one client in the United Kingdom at the time of this description.

The worm exists on systems as a rogue copy of a file named "MSCDEX.EXE" and is compressed using PEPACK v.99 of size 114,688 bytes. The icon for this file is the one used for standard MS-DOS executables such as COMMAND.COM or EXTRACT.EXE. The worm uses network connectivity and implements procedure calls in MPR.DLL to locate available systems on a network to propagate itself similar to W32/ExploreZip.worm. The following paths are used if available:

\winnt\profiles\Administrator\Start Menu\Programs\Startup\mscdex.exe

\winnt\profiles\All Users\Start Menu\Programs\Startup\mscdex.exe

\windows\Start Menu\Programs\Startup\mscdex.exe

On the next reboot of the affected system, the registry is modified to load this file when MSCDEX.EXE is executed from the startup location. The following registry locations are modified with the key "cdrom":

software\Microsoft\windows\currentVersion\RunServices cdrom = c:\mscdex.exe

software\Microsoft\windows\currentVersion\RunOnce cdrom = c:\mscdex.exe

software\Microsoft\windows\currentVersion\Run cdrom = c:\mscdex.exe

Ad blocker interference detected!

Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.