BitDefender Antivirus
Contact Us | My BitDefender

VBS.Trojan.Carewmr.A

( N/A )
Spreading: low
Damage: high
Size: 3292 bytes
Discovered: 2002 Oct 22

SYMPTOMS:

It creates many 0 bytes size files in "C:\", and some empty folders (also in "C:\").

TECHNICAL DESCRIPTION:

The Trojan display some message boxes with the text:
1. "Welcome to CLRAV of Kaspersky Labs, press OK or Accept to Start scanning your computer. "
2. "ERROR!, Code error:3212552, please execute this tool in MS-DOS."
3. "Thank You for prefer Kaspersky Labs Products"
On September the 1st it also display the message:
"Mr.Carew vuelve otra vez!!, jaja"
It tries to delete some registry keys:
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\SystemTray\"
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\AVPCC\"
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\NAVW32\"
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\TrueVector\"
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ZoneAlarm Pro\"
It also tries to connect to the site "http:\\\\www.avp.ru".
It creates 0 bytes size files on "C:\":
- "C:\Norton2003isbad_preferKAVORAVP"
- "C:\AVP"
- "C:\NAV"
- "C:\CHILE"
- "C:\TEMUCO"
- "C:\MCAFEE"
- "C:\ENTELPCS"
- "C:\GSM1900MHZ"
- "C:\SONYERICSSON"
- "C:\CAREFULLY_WHIT_ME"
- "C:\YOUR_PC_IS_VERY_BAD"
- "C:\I HATE MELINA"
- "C:\VBS.CarewMR.a"
- "C:\Windows is a real virus?"
- "C:\MELINA_TE_ODIO_MUERETE!"
- "C:\WindowsXP"
- "C:\Windows3.11"
- "C:\Windows98SE"
- "C:\WindowsME"
- "C:\Windows 95"
- "C:\WindowsNT"
- "C:\Windows2000"
- "C:\TELLCELL S.A"
- "C:\PORN"
- "C:\ORAL_SEX"
- "C:\BIN_LADEN_FUCKYOU"
- "C:\ICQ"
- "C:\PANDA"
- "C:\NOD32"
- "C:\TREND"
- "C:\PC-CILLIN"
- "C:\AvpM.exe"
- "C:\Kaspersky_AntiVirus_PersonalPRO_THEBEST!!!!!"
- "C:\Norton_thePOOR"
- "C:\Madonna_Sucking_my_dick.avi"
- "C:\Your_system_is_infected_by_a_virus_jajajajajajaja.jajajaja"
- "C:\THE_HEURISTIC_OF_NORTON_IS_VERY_BAD_AND_PRODUCE:POSITIVES-FALSES"
It also creates the folders:
- "C:\Symantec"
- "C:\KasperskyLabs"
- "C:\PandaSoftware"
- "C:\TrendMicro"
- "C:\Eset-Nod-fucked".
It tries to delete the folder "C:\Windows".
The trojan creates in current folder a file, named "CLRAV_Report.log", with an error message:
"Due an error, Code error:3212552, CLRAV has not disinfect your computer
For Support please send a e-mail to support@kaspersky.com and please indicate the Code Error."
Removal:

Removal instructions:

- manual removal: delete all files found infected.
- automatic removal: let BitDefender delete files found infected.

ANALYZED BY:

Mihaela Stoian BitDefender virus researcher
©   2009 BITDEFENDER SiteMap | Legal Terms | Site Feedback | Global Sites | Privacy Policy