W32.Antiqfx.worm or AntiQFX is a 32bit worm which requires a network connection to propagate.
AntiQFX is a 32bit worm which requires a network connection to propagate. It has been reported by at least one client in the United Kingdom at the time of this description.
The worm exists on systems as a rogue copy of a file named "MSCDEX.EXE" and is compressed using PEPACK v.99 of size 114,688 bytes. The icon for this file is the one used for standard MS-DOS executables such as COMMAND.COM or EXTRACT.EXE. The worm uses network connectivity and implements procedure calls in MPR.DLL to locate available systems on a network to propagate itself similar to W32/ExploreZip.worm. The following paths are used if available:
\winnt\profiles\All Users\Start Menu\Programs\Startup\mscdex.exe
On the next reboot of the affected system, the registry is modified to load this file when MSCDEX.EXE is executed from the startup location. The following registry locations are modified with the key "cdrom":
software\Microsoft\windows\currentVersion\RunServices cdrom = c:\mscdex.exe
software\Microsoft\windows\currentVersion\RunOnce cdrom = c:\mscdex.exe
software\Microsoft\windows\currentVersion\Run cdrom = c:\mscdex.exe