W32/Small.KI@mm
Threat risk
|
Detection files published:
17 Jan. 2006 |
Description created:
2006-01-18 |
Description updated:
2006-01-26 |
|
Alias:
W32/Nyxem-D, W32.Blackmal.E, W32/MyWife.d@MM, Email-Worm.Win32.VB.bi, WORM_GREW.A, W32/Kapser.A@mm, W32/VB.NEI, Worm/KillAV.GR |
Spreading mechanism
Email, Network, Other | |
|
Payload:
Overwrites data files, terminates AV processes | ||
Summary
This is an email worm written in Visual Basic. File size is 95690 bytes. This worm has CME ID 24.
Spreading description
Email characteristics:
Subject: Variable
Body: Variable
Attachment: Variable - an executable or as an uuencoded mime object.
This worm sends itself to email addresses found on the local system, as well as copying itself to shared drives. Emails sent will contain either an executable file, or a MIME object containing an uuencoded copy of the worm.
It will make copies of itself as %SYSTEM%\scanregw.exe and %WINDOWS%\Rundll16.exe. The Rundll16.exe file will be marked as a hidden and protected system file in an attempt to hide.
It will add the key and value ScanRegistry="scanregw.exe /scan" to the registry HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to make sure it's started with windows.
Threat description
Primary destructive payload is the corruption of data files of types mentioned below on the 3rd day of every month :
*.doc
*.xls
*.mdb
*.mde
*.ppt
*.pps
*.zip
*.rar
*.pdf
*.psd
*.dmp
These are data files and archive formats that typically contain data of large value for the owner. Regardless of possible infections, users should make sure they back up such material regularly to prevent data loss.
The worm will also look up files belonging to AV products and delete them.
A selection of folders it will search for and delete files in:
DAP
BearShare
Symantec
Norton AntiVirus
Alwil Software\Avast4
McAfee.com
Trend Micro
NavNT
Kaspersky Lab
Grisoft\AVG7
LimeWire
Morpheus
HyperTechnologies\Deep Freeze
Removal
This worm is detected and removed using defs from January 17th 2006 or later. Read more about how to identify and stop malware spreading through network shares in our article Stopping network share infectors.
General information about removal of malicious software
Norman's antivirus products are in general able to remove all malicious software that is detected.
Some malware, however, uses techniques that the general product does not remove sufficiantly. We have therefore developed the free product Norman Malware Cleaner. Please use the latest version of this program from the link below - if your Norman antivirus is unable to clean-up the infection.
| Usage | Title | Comment |
|---|---|---|
| Stopping network share infectors | ||
| Cleaning of back-up folders on Windows Me and XP |
