W32/Updatr.B@mm
W32/Updatr.B@mm
Threat risk
|
Detection files published:
13 Dec 2001 |
Description created:
2001-12-11 |
Description updated:
2001-12-13 |
|
Alias:
|
Spreading mechanism
| |
|
Payload:
Installs annoying script worm | ||
Summary
This is a variant of the W32/Updatr.A worm.
At the time of this writing, Norman has received one single confirmed report of Updatr.B from an infected user.
This variant is 13632 bytes long, and instead of being packed with UPX it is packed using a compression utility called Petite.
When run it will copy itself to the Windows directory under the name UPDATE.EXE, and set the registry key
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Update = C:\WINDOWS\UPDATE.EXE
This has the effect that the worm is executed on startup.
It will also copy a small Visual Basic script worm, VBS/Updatr.A, to the startup directory.
Spreading description
Email characteristics:
Subject: Variable
Body: Hi:
This is the file you ask for, Please save it to disk and open this file, it's very important.
Attachment: Several names possible, see below
Possible attachment names are:
Setup.EXE
install.exe
Readme.exe
Files.exe
Picture.exe
Quotation.doc.exe
Letter.doc.exe
Picture.jpg.exe
Threat description
Installs the same VB Script worm as the Updatr.A variant.Removal
General information about removal of malicious software
Norman's antivirus products are in general able to remove all malicious software that is detected.
Some malware, however, uses techniques that the general product does not remove sufficiantly. We have therefore developed the free product Norman Malware Cleaner. Please use the latest version of this program from the link below - if your Norman antivirus is unable to clean-up the infection.
| Utilizzo | Titolo | Commento |
|---|---|---|
| Blocco dei virus che infettano le condivisioni di rete | ||
| Cleaning of back-up folders on Windows Me and XP |