My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Neroma.B@mm

HIGH
LOW
5 KB (packed with UPX)
(W32/Neroma-B (Sophos))

Symptoms

Presence of the process nrs.exe and the file

%WINDIR%\nrs.exe

(%WINDIR% is the Windows directory, and the path becomes for instance: C:\Windows\nrs.exe)

Removal instructions:

Press CTL+ALT+DEL to go to Task Manager and kill the process nrs.exe.

Then go to Windows directory and delete the file nrs.exe.

For Windows 95, 98 and Millennium, still in Windows directory, edit the file %WINDDIR%\SYSTEM.INI, scroll down to the [Boot] section, and replace:

"shell=Explorer.exe nrs.exe"

with the same line, without "nrs.exe".
The line should become:

"shell=Explorer.exe"

For Windows NT4, 2000, XP and 2003, edit the registry key:

Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Winlogon
Subkey: Shell
Value: "Explorer.exe nrs.exe"

Replace the value with "Explorer.exe" (without "nrs.exe").


The BitDefender removal tool detects and removes Win32.Neroma.A@mm and Win32.Neroma.B@mm, and cleans up the Registry or SYSTEM.INI file.

Analyzed By

Mihai NEAGU BitDefender Virus Researcher

Technical Description:

If you have virus definitions older than 05 September 2003, BitDefender detects this worm as Win32.VB.Generic.

The worm is written in Visual Basic and comes by e-mail.

The message description is:
Subject: Time to 911!
Attachment: 119.gif (the actual file name is nrs.exe)
Message text: Hi, Nice butt!

When the worm is executed, it copies itself to Windows directory:
%WINDIR%\nrs.exe

(%WINDIR% is the Windows directory, and the path becomes for instance: C:\Windows\nrs.exe)

For Windows 95, 98 and Millennium, the worm replaces the shell command in %WINDIR%\SYSTEM.INI, under the [Boot] section:

"shell=Explorer.exe nrs.exe"

In Windows NT4, 2000, XP and 2003, the worm replaces the registry key:

Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Winlogon
Subkey: Shell
Value: "Explorer.exe nrs.exe"

The worm uses Microsoft Outlook mailing system to send mail to all e-mail addresses in the Windows Address Book.

At the beginning of the executable file, you can see the following text:
This is a Second Variant of Nemora 911.