My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Refoav.A@mm

HIGH
VERY LOW
49152 bytes
(N/A)

Symptoms

  • The registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Load, which points to C:\VBSeli.vbs
  • The presence of files C:\VBSeli.vbs, C:\Foavre.exe
  • Removal instructions:

    1. If you don't have BitDefender installed click here to download an evaluation version.

    2. Make the following changes in the windows registry:

      Note: Please make sure to modify only the values that are specified. It is also recommended to backup the windows registry before proceeding with these changes. For more information on backing the registry please read the FAQ.

      1. Select Run... from Start, then type regedit and press Enter;
      2. Delete the following key:
        [HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Load]
        which points to C:\VBSeli.vbs.

    3. Perform a full scan of your system (selecting, from the Action tab, the option Prompt user for action). Choose to delete all the files infected with Win32.Refoav.A@mm.

    Analyzed By

    Mihai Chiriac BitDefender Virus Researcher

    Technical Description:

    The virus arrives attached to email messages looking like the following:
    Subject : Fw:Ipresionante
    Text : Pues eso simplemente impresionante........
    Attachement : foavre.exe

    When the attachement is executed, the worm receives control and copies itself to  the file c:\foavre.exe, then dumps from its body the file c:\vbseli.vbs and registers it to load at system startup.

    Then the worm gets the list of e-mail addresses from the user's address book and e-mails itself to every one of this addresses, using the SMTP server interlap.com.ar and the username foavre. In addition to spreading, the worm saves information about the registered user name and company, and email addresses into the file c:\datospc.dat and attempts to send the file to the virus writer (the address is defecto@hotmail.com). If this routine succeeds, the worm deletes the file c:\datospc.dat.

    At the first computer reboot or after the execution of C:\VBSeli.vbs the virus displays the following message boxes :

    Usted ha sido infectado por el virus FOAVRE
    Este no es un virus maligno, no se preocue su sistema sera restaurado, y no quedara rastro del virus
    Este es un virus de aviso, tenga cuidado con los archivos que recibe y abre
    NO A LA GUERRA
    Perdone las molestias en breve recibira un correo indicando su numero en la lista de infectados

    After that, the virus disinfects the computer by deleting the viral registry key and its own files.