- a process called "BR2002" running (it can be seen by right-clicking the taskbar and launching Task Manager).
Invoke Task Manager, select the process called "BR2002" and click "End Task". You should also delete the file "br2002.exe" that contains the worm.
Let BitDefender delete/disinfect files found infected.
Bogdan Dragu BitDefender Virus Researcher
This worm spreads by by maliciously inviting the user's MSN Messenger contacts to download it; it was written in Visual Basic.
The virus is disguised as a CD-key generator for the great Half-Life/CounterStrike games; when run, it invites the user to click the "Generate" button, but the resulting "keys" are just random digits:
The virus actually steals the user's CD-keys for Half-Life and CounterStrike. The keys are read from the following registry keys:
and sent to firstname.lastname@example.org; the sent message looks like this:
I have loaded the ur CDKEY Generator 1.3! CS: HL: In order to spread, the worm sends instant messages to the user's contacts, inviting them to download and run a program (actually a copy of the virus) from a website:
The virus then attempts to download an executable file from the location http://home.no.net/downl0ad/CS-Keygen.exe and save it as C:\hehe2397824.exe. If the user receives a message from email@example.com, it will take a specific action depending on the contents of that message:
- if the message reads "hey", the virus will send the CounterStrike/Half-Life CD keys again;
- if the message reads "hello", the virus will download a file (probably containing an updated version of the virus) from the location http://home.no.net/downl0ad/Update.exe and save it as C:\update35784.exe; a message will be sent back to firstname.lastname@example.org, containing the text "Updating...";
- if the message reads "hi", the virus will reply with "Spamming..." and send virus download invitations again to the user's contacts.
The worm runs the downloaded executable files (C:\hehe2397824.exe, C:\update35784.exe), if they are found; it will remain resident, waiting for messages from email@example.com.