My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Scold.A@mm

LOW
LOW
28160 bytes (~ 61 KB when unpacked)
(I-Worm.Scold (KAV))

Symptoms

- the file Warm.scr in the Windows folder;
- the registry entry HKLM \Software\Microsoft\Windows\CurrentVersion\Run\ExeName32 pointing to that file;
- this picture displayed while the virus is running (at every start-up, for example):


Removal instructions:

Manual Removal:
Close the window with the picture; delete the file and the registy entry in the Symptoms section).

Automatic Removal:
Let BitDefender delete infected files.

Analyzed By

Bogdan Dragu BitDefender Virus Researcher

Technical Description:

This worm is written in Visual Basic and packed with UPX; it embeds the picture above in JPEG format. It arrives in an email in the following format:

Subject:
Fw: When It´s Cold Outside She Gives Me Warm Inside [whitespaces] [random characters]
Re: When It´s Cold Outside She Gives Me Warm Inside [whitespaces] [random characters]

Body:
You will love this cute picture. or Enjoy this great picture. or Don´t miss this cool picture.

============= Free Online Virus Scan =============
100% VIRUS FREE
No viruses or suspicious files were found in the attached file.


Attachment:[the random characters in the Subject line][random digits].scr

When run, it copies itself as Worm.scr in the Windows folder and creates the registry entry HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ExeName32 so that Windows runs the worm at every start-up.

It uses Outlook to send identical emails in the format above to:
- the user's contacts in the Address Book;
- email addresses found in .htm/.html files in the folder pointed to by the registry entry HKCU\Software\Microsoft\Internet Explorer\Main\Save Directory;
- contacts found in .ctt files in My Documents.

(It creates a copy of itself in the Windows folder with the random name used for the attachment in order to create the email messages.)

The emails are enqueued in Outlook's Outbox; after being sent, they are deleted.