| Name |
%SysDir%\command.pif |
Description
|
Worm W32.Inzae.B@mm
It is a mass-mailing worm that uses its own SMTP engine for spreading.
1. Adds the value:
"Messenger6"="%System%\command.pif"
"Svchost"="%System%\command.pif"
to the registry Run keys.
2. Sends an HTTP GET request to download the file msvbvm60.dll, to the following folders, and then executes it:
%Windir%\System32
%Windir%\System
3. Creates the following file and execute it if the file, msvbvm60.dll, is downloaded successfully:
%System%\Paula.pif
4. When %System%\Paula.pif is executed, it does the following:
Copies itself as %System%\Svchosl.pif.
Creates the following files:
%Windir%\System32\m.zip
%Windir%\System32\sw.exe
%Windir%\System32\sx.exe
%Windir%\System32\ss.exe
%Windir%\System32\sz.exe
5. Deletes files with extensions:
.asm .asp .bdsproj .bmp .c .cpp .cs .csproj .css .doc .dpr .frm .gif .h .htm .html .iso .jpeg .jpg .mdb .mp3 .nfm .nrg .pas .pcx .pdf .php .ppt .rar .rc .rc2 .reg .resx .rpt .sln .txt .vb .vbp .vbproj .wav .xls
6. Download its updates if computer is connected to Internet.
7. Sends its body by e-mails.
Remove it from startup using antivirus (also check How To Remove section)Startup Optimizer.
|
|
Home
