Virus Profile: W32/SoftSix.worm

Threat Search
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 12/8/1999
Date Added: 12/8/1999
Origin: N/A
Length: N/A
Type: Virus
Subtype: Worm
DAT Required: 4057
Removal Instructions


This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

The virus is otherwise unnoticeable until a message box pops up to insult the user - this will occur on infected systems on the 14th of months between May and December.

Methods of Infection

Running the worm will directly affect the local machine as mentioned above. This worm will load at Windows NT startup from the system registry and run as a service.


W32.HLLP.Soft6, W32/Soft6

Virus Characteristics

This is a 32bit worm designed for Windows NT and consists of 2 .exe files which must reside in the SYSTEM32 folder. The first file called either INSTALS.EXE or IACCEPT.EXE (306,688 bytes) must be run first. This then installs the second file called either SERVICESS.EXE or IACCEPTS.EXE (329728 bytes) as a service called "Service" which becomes active on the next system restart. The first file also installs itself in the registry to auto-run at system start-up. When active the service displays a random-colored text "Hi 2000" at random positions on the screen between 9a.m. and noon. The worm protects itself by automatically closing the TaskManager window if it is opened in order to try to end the service's process. The worm also appears to contain code that will try to infect other NT systems via the network, although in AVERT testing, this was not noticed. AVERT will modify this description if this effect is observed and can be verified.
1) Using the "Services" application from the Control Panel, stop the service called "Service"

2) Using RegEdit remove the following registry entries...

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServiss = "instals.exe"

HKEY_USERS\.DEFAULTServiss = "instals.exe"

and then delete the following registry key

"HKEY_LOCAL_MACHINE\SYSTEM\ControlSetNNN\Services\Services" for every "ControlSet" entry under the "HKEY_LOCAL_MACHINE\SYSTEM" registry key.

3) Restart system.



PC Infected? Get Expert Help

Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!