W32/Updatr.C@mm
Threat risk
|
Detection files published:
13 Dec 2001 |
Description created:
2001-12-11 |
Description updated:
2001-12-13 |
|
Alias:
|
Spreading mechanism
| |
|
Payload:
Installs annoying script worm | ||
Summary
This is a variant of the W32/Updatr.A worm.
At the time of this writing, Norman has received one single confirmed report of Updatr.C from an infected user.
This variant is 15872 bytes long, and instead of being packed with UPX it is packed using a compression utility called PECompact.
When run it will copy itself to the Windows System directory under the name SYSTEM.EXE, and set the registry key
HKLM\Software\Microsoft\Windows\CurrentVersion\Run System = C:\WINDOWS\SYSTEM\SYSTEM.EXE
This has the effect that the worm is executed on startup.
It will also copy a small Visual Basic script worm, VBS/Updatr.C, to the startup directory.
Spreading description
Email characteristics:
Subject: Variable
Body: Hi:.. This is the file you ask for please save it to Disk
Attachment: Several names possible, see below
Possible attachment names are:
Setup.EXE
install.exe
Readme.exe
Files.exe
Picture.exe
Quotation.doc.exe
Letter.doc.exe
Nudepic.exe
System.exe
Threat description
Installs a slightly polymorphic VB Script worm.Removal
The VB script worm that is installed is already detected by Norman's antivirus software as VBS/Eva.B, because of obvious similarities in the code with an earlier VBS virus.
General information about removal of malicious software
Norman's antivirus products are in general able to remove all malicious software that is detected.
Some malware, however, uses techniques that the general product does not remove sufficiantly. We have therefore developed the free product Norman Malware Cleaner. Please use the latest version of this program from the link below - if your Norman antivirus is unable to clean-up the infection.
| Usage | Title | Comment |
|---|---|---|
| Stopping network share infectors | ||
| Cleaning of back-up folders on Windows Me and XP |
