Win32.Scold.A@mm( I-Worm.Scold (KAV) )
SYMPTOMS: - the file Warm.scr in the Windows folder;- the registry entry HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ExeName32 pointing to that file; - this picture displayed while the virus is running (at every start-up, for example):  TECHNICAL DESCRIPTION: This worm is written in Visual Basic and packed with UPX; it embeds the picture above in JPEG format. It arrives in an email in the following format:Subject: Fw: When Itīs Cold Outside She Gives Me Warm Inside [whitespaces] [random characters] Re: When Itīs Cold Outside She Gives Me Warm Inside [whitespaces] [random characters] Body: You will love this cute picture. or Enjoy this great picture. or Donīt miss this cool picture. ============= Free Online Virus Scan ============= 100% VIRUS FREE No viruses or suspicious files were found in the attached file. Attachment:[the random characters in the Subject line][random digits].scr When run, it copies itself as Worm.scr in the Windows folder and creates the registry entry HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ExeName32 so that Windows runs the worm at every start-up. It uses Outlook to send identical emails in the format above to: - the user\'s contacts in the Address Book; - email addresses found in .htm/.html files in the folder pointed to by the registry entry HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Save Directory; - contacts found in .ctt files in My Documents. (It creates a copy of itself in the Windows folder with the random name used for the attachment in order to create the email messages.) The emails are enqueued in Outlook\'s Outbox; after being sent, they are deleted. Removal instructions: Manual Removal:Close the window with the picture; delete the file and the registy entry in the Symptoms section). Automatic Removal: Let BitDefender delete infected files. ANALYZED BY: Bogdan DraguBitDefender Virus Researcher |