My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Neroma.A@mm

HIGH
LOW
5 KB (Packed with UPX)
(Win32.FireButton.A@mm, W32.Neroma@mm, WORM_NEROMA.A)

Symptoms

Presence of the process Nerosys.exe and the file
%WINDIR%\Nerosys.exe
(%WINDIR% is the Windows directory, and the path becomes for instance: C:\Windows\Nerosys.exe)

Removal instructions:

Press CTL+ALT+DEL to go to Task Manager and kill the process nerosys.exe.

Go to Windows directory and delete the file nerosys.exe.


For Windows 95, 98 and Millennium, still in Windows directory, edit the file SYSTEM.INI, scroll down to the [Boot] section, and replace:

shell=Explorer.exe nerosys.exe

with the same line, without nerosys.exe.
The line should become:

shell=Explorer.exe

For Windows NT4, 2000, XP and 2003, edit the registry key:

Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Winlogon
Subkey: Shell
Value: "Explorer.exe nerosys.exe"

Replace the value with "Explorer.exe" (without "nerosys.exe").


The BitDefender removal tool detects and removes Win32.Neroma.A@mm and Win32.Neroma.B@mm, and cleans up the Registry or SYSTEM.INI file.

Analyzed By

Mihai NEAGU BitDefender Virus Researcher

Technical Description:

If you have virus definitions older than 03 September 2003, BitDefender detects this worm as Win32.VB.Generic.

The worm is written in Visual Basic and comes by e-mail.

The message description is:
Subject: It's Near 911!
Attachment: 911.jpg (the actual file name is Nerosys.exe)
Message text: Nice butt baby!

When the worm is executed, it copies itself to Windows directory:
%WINDIR%\Nerosys.exe
(%WINDIR% is the Windows directory, and the path becomes for instance: C:\Windows\Nerosys.exe)

For Windows 95, 98 and Millennium, the worm replaces the shell command in %WINDIR%\SYSTEM.INI, under the [Boot] section:

shell=Explorer.exe nerosys.exe

In Windows NT4, 2000, XP and 2003, the worm replaces the registry key:

Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Winlogon
Subkey: Shell
Value: "Explorer.exe nerosys.exe"

The worm uses Microsoft Outlook mailing system to send mail to all e-mail addresses in the Windows Address Book.

At the beginning of the executable file, you can see the following text: This is Neroma Worm for .::911 : 119::.