VBS.Trojan.Carewmr.A( N/A )
SYMPTOMS: It creates many 0 bytes size files in \"C:\\\", and some empty folders (also in \"C:\\\").TECHNICAL DESCRIPTION: The Trojan display some message boxes with the text:1. \"Welcome to CLRAV of Kaspersky Labs, press OK or Accept to Start scanning your computer. \" 2. \"ERROR!, Code error:3212552, please execute this tool in MS-DOS.\" 3. \"Thank You for prefer Kaspersky Labs Products\" On September the 1st it also display the message: \"Mr.Carew vuelve otra vez!!, jaja\" It tries to delete some registry keys: \"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\SystemTray\" \"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\AVPCC\" \"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\NAVW32\" \"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\TrueVector\" \"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ZoneAlarm Pro\" It also tries to connect to the site \"http:\\\\www.avp.ru\". It creates 0 bytes size files on \"C:\\\": - \"C:\\Norton2003isbad_preferKAVORAVP\" - \"C:\\AVP\" - \"C:\\NAV\" - \"C:\\CHILE\" - \"C:\\TEMUCO\" - \"C:\\MCAFEE\" - \"C:\\ENTELPCS\" - \"C:\\GSM1900MHZ\" - \"C:\\SONYERICSSON\" - \"C:\\CAREFULLY_WHIT_ME\" - \"C:\\YOUR_PC_IS_VERY_BAD\" - \"C:\\I HATE MELINA\" - \"C:\\VBS.CarewMR.a\" - \"C:\\Windows is a real virus?\" - \"C:\\MELINA_TE_ODIO_MUERETE!\" - \"C:\\WindowsXP\" - \"C:\\Windows3.11\" - \"C:\\Windows98SE\" - \"C:\\WindowsME\" - \"C:\\Windows 95\" - \"C:\\WindowsNT\" - \"C:\\Windows2000\" - \"C:\\TELLCELL S.A\" - \"C:\\PORN\" - \"C:\\ORAL_SEX\" - \"C:\\BIN_LADEN_FUCKYOU\" - \"C:\\ICQ\" - \"C:\\PANDA\" - \"C:\\NOD32\" - \"C:\\TREND\" - \"C:\\PC-CILLIN\" - \"C:\\AvpM.exe\" - \"C:\\Kaspersky_AntiVirus_PersonalPRO_THEBEST!!!!!\" - \"C:\\Norton_thePOOR\" - \"C:\\Madonna_Sucking_my_dick.avi\" - \"C:\\Your_system_is_infected_by_a_virus_jajajajajajaja.jajajaja\" - \"C:\\THE_HEURISTIC_OF_NORTON_IS_VERY_BAD_AND_PRODUCE:POSITIVES-FALSES\" It also creates the folders: - \"C:\\Symantec\" - \"C:\\KasperskyLabs\" - \"C:\\PandaSoftware\" - \"C:\\TrendMicro\" - \"C:\\Eset-Nod-fucked\". It tries to delete the folder \"C:\\Windows\". The trojan creates in current folder a file, named \"CLRAV_Report.log\", with an error message: \"Due an error, Code error:3212552, CLRAV has not disinfect your computer For Support please send a e-mail to support@kaspersky.com and please indicate the Code Error.\" Removal: Removal instructions: - manual removal: delete all files found infected.- automatic removal: let BitDefender delete files found infected. ANALYZED BY: Mihaela StoianBitDefender virus researcher |