Cart
Win32.MSNWorm.Rachel.A( N/A )
SYMPTOMS: the presence of the HKLM\Software\Microsoft\Windows\CurrentVersion\Run\[Rachel] registry key;TECHNICAL DESCRIPTION: This virus is an Internet worm that spreads trough MSN Messenger intercepting MSN Messenger messages.The worm is coming through MSN Messenger in the following format:
If the user accepts the download and executes the file Rachel.exe, the virus takes control and creates some registry key: HKLM\Software\MSNSPRD, where it keeps the already infected users, and other informations, and: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\[Rachel] with value %path%\Rachel.exe, where %path% is the path of downloaded executable file. Because of that the virus will run itself at every restart, taking control of the users MSN Messanger. After creating those keys the virus will display the following error message:
and then waits for new MSN messages. When a user sends a message to the infected user, the virus verifies if it already sent a copy to that user, and if not, it will send itself the same way it came on the current infected machine. The virus registers every user where it tries to send itself in the following registry key: HKLM\Software\MSNSPRD\USRRqstSnt This virus will not be able to spread correctly because of an error in registering users. Because of this error, this virus has very few chances to spread. Removal instructions:
ANALYZED BY: Sorin Victor Dudea BitDefender Virus Researcher |
