VBS.Cuerpo.A@mm( I-Worm.Cuervo )
SYMPTOMS: - The file winstart.bat in C:\\Windows\\ folder;TECHNICAL DESCRIPTION: This virus arrives in the body of the infected mail and is using an exploitfor Scriptlet.TypeLib. When the infected message is viewed by the user the virus drops the file c:\\windows\\winstart.bat using the specified exploit. After reboot the batch file is executed by Windows and the virus drops another file which is an Visual Basic Script file and copies it in the usual startup folder for some language-specific versions of Windows. The dropped script is executed and the spreading routine is activated. First the virus drops some various files and then will reply to user\'s e-mails modifying the body of mails to itself. Also the virus send e-mails to user\'s contacts from all Address-Books. These e-mails are sent using MAPI (Mailing Application Programming Interface) functions. It also modifies the blank.html in the system directory to load a file which contains another piece of the virus, and to load the page from www.freedonation.com. After this, it sets the default page for Internet Explorer to blank.html. Another way of spreading used by this virus is to search for e-mail addresses in all files with the following extensions: .txt, .na2, .wab, .mbx, .dbx, .dat. The addresses found in those files are added to a .html file which is send to the author\'s page posted on a free server which is a PHP file so the virus will be sent automatically to those addresses. Removal instructions: 1. Make sure that you have the latest updates using BitDefender Live!;2. Perform a full scan of your system (selecting, from the Action tab, the option \"Prompt user for action\"). Choose to delete all the files infected with VBS.Cuerpo.A@mm. ANALYZED BY: Sorin DudeaBitDefender Virus Researcher Costin Ionescu BitDefender Virus Researcher |