Threat Database Viruses W32.Fypzserv


By LoneStar in Viruses

Threat Scorecard

Threat Level: 20 % (Normal)
Infected Computers: 63
First Seen: July 18, 2013
Last Seen: June 13, 2023
OS(es) Affected: Windows

W32.Fypzserv is a virus that hijacks particular documents, archives, and media files on the targeted PC. W32.Fypzserv may circulate through removable drives. Once run, W32.Fypzserv creates the copies of itself as the malevolent files. W32.Fypzserv creates the malevolent files on all removable drives. W32.Fypzserv creates the registry entry so that it can load automatically whenever you start Windows. W32.Fypzserv creates the registry entry to reduce security settings on the affected computer. W32.Fypzserv creates the registry entries to disable particular programs on the compromised PC. W32.Fypzserv modifies all files with the extensions incorporating docx, doc, xls, xlsx, pptx, ppt, mdb, mdf, accdb, jpg, jpeg, zip, rar, pdf, pst, psd, cdr, avi, mkv, mp4, mov, vob, mp3, iso, nrg, flv and swf. When the files are hijacked by W32.Fypzserv, they will not work until they have been fixed. W32.Fypzserv modifies the registry entries to conceal its occurrence and to modify Internet Explorer settings. W32.Fypzserv also makes other modifications to the Windows Registry.

File System Details

W32.Fypzserv may create the following file(s):
# File Name Detections
1. %DriveLetter%\[CURRENT USER].exe
2. %SystemDrive%\[CURRENT USER].exe
3. %DriveLetter%\Image.exe
4. %UserProfile%\igfxhost.exe
5. %DriveLetter%\Movie.exe

Registry Details

W32.Fypzserv may create the following registry entry or registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\"DisableTaskMgr" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"DisableTaskMgr" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt\"UncheckedValue" = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srservice\"Start" = "4"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"EnableLUA" = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\"LastIndex" = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\"CheckedValue" = "0"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\"CleanShutdown" = "0"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"igfxhost" = "%UserProfile%\igfxhost.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\"DisableRegistryTools" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"DisableRegistryTools" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\"UncheckedValue" = "0"


W32.Fypzserv may call the following URLs:


Most Viewed