My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Updatr.A@mm

MEDIUM
LOW
12288 bytes
(I-Worm.Updater, I-Worm.Imelda.B)

Symptoms

- Files:
- Readme.exe
- Files.exe
- Picture.exe
- Quotation.Doc.exe
- Letter.Doc.exe
- Picture.jpg.exe

located in C:\Windows

- File C:\Windows\Start Menu\Programs\StartUp\Update.vbs

Removal instructions:

  1. If you don't have BitDefender installed click here to download an evaluation version;

  2. Make sure that you have the latest updates using BitDefender Live!;

  3. Make the following changes in the windows registry:

    Note: Please make sure to modify only the values that are specified. It is also recommended to backup the windows registry before proceeding with these changes. For more information on backing the registry please read the FAQ.

    1. Select Run... from Start, then type regedit and press Enter;

    2. Delete the following key:
      HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Update

  4. Perform a full scan of your system (selecting, from the Action tab, the option Prompt user for action). Choose to delete all the files infected with Win32.Updatr.A@mm.

Analyzed By

Costin Ionescu BitDefender Virus Researcher

Technical Description:

This virus is an Internet Worm spreading through e-mail, using Outlook's Address Book to spread. It comes in an e-mail as an attached executable.

The infected mail has the following format:

Subject: is a combination of one word randomly chosen from the following groups:
Have you Check this Picture
You Should Check out my Program
Just Watch out For this Patch
Why Not you Open The Nude pic
How to Look at Report
Re: Document
Fwd: Quotation
Transaction
Bank Account
WTC Tragedy
Osama Vs Bush
Account
Private Pic

Body:
Hi:
This is the file you ask for, Please save it to disk and open this file, it's very important.

Attachment: an executable file named as described in the Symptoms section

An example of such an e-mail is this:





When the user executes this attachment the virus copies itself in the C:\Windows directory under all the names shown above. After this it adds the following key to registry in order to be restarted at every reboot:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Update with the value "C:\WINDOWS\Update.exe" using a generated reg file called c:\iwing.reg

Also it creates a Visual Basic Script file in the Startup directory (which also will be executed at every startup).

To trick users it displays a fake error message like this:




To spread it reads all the contacts from Outlook Address Book and send to all the same generated e-mail.

The script dropped in startup will search for all the files with extension .exe, .doc and .txt on all drives, and create a file with the same name appended with the extension .vbs where it copies itself. On 12th of every month it displays the following message:




The virus contains bugs because sometimes it sends e-mails without attaching the file.

As marker the author wrote:
I-WORM.IMELDA.B
(C)2001, by Iwing
Virusindo - Indonesian Virus Network