My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Cervivec.A@mm

LOW
LOW
228872 bytes (~ 706 KB when unpacked)
(N/A)

Symptoms

  • Files ntkrnl.exe, worms.exe and worms.zip in the Windows\System32 folder;

  • The Kernel Loader entry in the registry key:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    The value of this entry causes the executable file named above to be "silently" run at each Windows start-up:



  • Removal instructions:

    1. If you don't have BitDefender installed click here to download an evaluation version.

    2. Make the following changes in the windows registry:

      Note: Please make sure to modify only the values that are specified. It is also recommended to backup the windows registry before proceeding with these changes. For more information on backing the registry please read the FAQ.

      1. Select Run... from Start, then type regedit and press Enter;
      2. Delete the following key:
        HKLM\Software\Microsoft\Windows\CurrentVersion\Run\KernelLoader

    3. Perform a full scan of your system (selecting, from the Action tab, the option Prompt user for action). Choose to delete all the files infected with Win32.Cervivec.A@mm.

    Analyzed By

    Bogdan Dragu BitDefender Virus Researcher

    Technical Description:

    This virus spreads via e-mail by sending itself to the user's contacts in the ICQ contact list (ICQ is a popular instant messenger). It was written in Borland Delphi and the executable was compressed using the UPX executable packer.

    It arrives as an attachment (worms.zip) to an e-mail message with the Subject/Body fields selected from the following choices:

    Subject: Chiste
    Body: Hola te mando los gusanilloes. Pues mirarlos (no es un virus)

    Subject: Zart
    Body: Czesc, mam swietnz dowcip - robaka. Obejrzyj go sobie (to nie jest wirus)

    Subject: Joke
    Body: Hi, I have some cool joke - worms so have a look at it (no virus)

    Subject: £æÉëP
    Body: "ÅòüàÉ, ß ïàîÜ àƒÉ¥ ÄÅòëìè¥îPÜ £ÉæéëP üÅìäà éàÅüÜëP (ÖÉì îà üòÅæƒ)

    Subject: blague
    Body: J'ai une bonne blague ca s'appelle verre de terre alors jette un coup d'oeil (il n'y a pas de virus)

    Subject: Witz
    Body: Hallo, Ich habe ein guter Witz-Wurm so sieh! (kein virus)

    Subject: Vtip or Cervici
    Body: Cau posielam ti cerviky tak sa na to pozri (virus to neni)

    Subject: Vtip or Cervici
    Body: Cau posilam ti cerviky tak se na to podivej (virus to neni)

    When run, the attached executable file copies itself to the Windows System32 folder (as ntkrnl.exe and worms.exe) and also creates a ZIP archive (worms.zip) in the same folder containing the dropped worms.exe copy of the virus.

    The ntkrnl.exe executable will be registered to run at each Windows start-up by creating the value described above in the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    At Windows start-up, the virus will be run with the ?LOADDRIVERS=TRUEcommand-line argument, which determines "silent" execution (no message box or payload).

    The worms.exe file is used to generate the worms.zip archive that will be attached to the e-mail messages created by the virus. These messages will be sent to the e-mail addresses of the user's contacts which are found by scanning the ICQ database (.dat and .idx files in the ICQ installation folder and subfolders: 2001b, 2001a, 2000b, 2000a). These addresses, together with the associated e-mail messages, will be put down in a temporary file named ntoskrnl.dat.

    Before activating its payload, the virus displays the following message box and waits for the user to click "OK":





    The payload is non-destructive - just a cute animation of colourful lines crawling on the Windows desktop (to get rid of them, just restart Windows):