Sécurité Proactive
 

W32/Updatr.A@mm

Threat risk

Threat risk low
Detection files published:
06 Dec 2001
Description created:
2001-12-06
Description updated:
2001-12-13
Malware type:
Worm
Alias:
I-Worm.Updater
Spreading mechanism
Email
Payload:
Installs annoying script worm

Summary

This is a new email worm that spreads via Microsoft Outlook. It is written in Visual Basic, and is in addition compressed using the well known packing program UPX. It is 12288 bytes long.

At the time of this writing, Norman has received only one confirmed report of Updatr.A from an infected user. We will of course monitor the situation.

When run it will copy itself to the Windows directory under the name UPDATE.EXE, and set the registry key
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Update = C:\WINDOWS\UPDATE.EXE
This has the effect that the worm is executed on startup.


The worm will also copy a small Visual Basic script worm, VBS/Updatr.A, to the startup directory.

There are now three other variants of this worm, W32/Updatr.B@mm, W32/Updatr.C@mm and W32/Updatr.D@mm.

Spreading description

Email characteristics:

Subject: Variable
Body:

Hi:
This is the file you ask for, Please save it to disk and open this file, it's very important.

 


Attachment: Several names possible, see below
The worm sends itself to all users in the Outlook address book.

The subject lines are composed of several strings that can be combined.

Possible attachment names:

Setup.EXE
install.exe
Readme.exe
Files.exe
Picture.exe
Quotation.doc.exe
Letter.doc.exe
Picture.jpg.exe



Threat description

The worm installs a small Visual Basic script worm.


Removal

General information about removal of malicious software

Norman's antivirus products are in general able to remove all malicious software that is detected.
Some malware, however, uses techniques that the general product does not remove sufficiantly. We have therefore developed the free product Norman Malware Cleaner. Please use the latest version of this program from the link below - if your Norman antivirus is unable to clean-up the infection.

Utilisation Titre Commentaire
  Stopper la propagation des virus sur les partages réseau  
  Cleaning of back-up folders on Windows Me and XP  
Imprimer la page