The registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Load, which points to C:\VBSeli.vbs
The presence of files C:\VBSeli.vbs, C:\Foavre.exe
- If you don't have BitDefender installed click here to download an evaluation version.
- Make the following changes in the windows registry:
Note: Please make sure to modify only the values that are specified. It is also recommended to backup the windows registry before proceeding with these changes. For more information on backing the registry please read the FAQ.
- Select Run... from Start, then type regedit and press Enter;
- Delete the following key:
which points to C:\VBSeli.vbs.
- Perform a full scan of your system (selecting, from the Action tab, the option Prompt user for action). Choose to delete all the files infected with Win32.Refoav.A@mm.
Mihai Chiriac BitDefender Virus Researcher
The virus arrives attached to email messages looking like the following:
Subject : Fw:Ipresionante
Text : Pues eso simplemente impresionante........
Attachement : foavre.exe
When the attachement is executed, the worm receives control and copies itself to the file c:\foavre.exe, then dumps from its body the file c:\vbseli.vbs and registers it to load at system startup.
Then the worm gets the list of e-mail addresses from the user's address book and e-mails itself to every one of this addresses, using the SMTP server interlap.com.ar and the username foavre. In addition to spreading, the worm saves information about the registered user name and company, and email addresses into the file c:\datospc.dat and attempts to send the file to the virus writer (the address is email@example.com). If this routine succeeds, the worm deletes the file c:\datospc.dat.
At the first computer reboot or after the execution of C:\VBSeli.vbs the virus displays the following message boxes :
Usted ha sido infectado por el virus FOAVRE
Este no es un virus maligno, no se preocue su sistema sera restaurado, y no quedara rastro del virus
Este es un virus de aviso, tenga cuidado con los archivos que recibe y abre
NO A LA GUERRA
Perdone las molestias en breve recibira un correo indicando su numero en la lista de infectados
After that, the virus disinfects the computer by deleting the viral registry key and its own files.