Name: Worm.Win32.Nali Category: Viruses Description: Details Worm.Win32.Naliv Naliv is a silly network worm spreading over local and global networks. The worm itself is a Win32 application (PE EXE file) written in Borland C++. It has a file size of about 12K. When the worm is run it copies itself to the Windows system directory (the worm copy name can be various) and registers this file in the system registry auto-run key: HKLM\SOFTWAREMicrosoftWindowsCurrentVersionRun NAV Live Update = %worm file name% To spread, 'naliv', in an endless loop, generates random network IP addresses and connects to remote computers at these addresses (if there is a machine at a generated address), and if the disk is shared for full access, the worm copies itself to the victim computer's Windows startup directory (if it exists): C$Documents and SettingsAll UsersStart MenuProgramsStartup CWINDOWSStart MenuProgramsStartup C$WINNTAll UsersStart MenuProgramsStartup The naliv worm then copies itself using its current name (worm copies can have various names). To run the worm EXE file needs the borlndmm.dll library which is a component of Borland Delphi and Borland C++ compilers. Thus only a computer with Borland compilers installed can be affected.