W32/Febelneck-A is a worm that disguises itself as a zip file. It does this by associating a zip file icon with infected programs.
W32/Febelneck-A spreads by copying itself to the following predefined locations:
C:\windows\
C:\windows\system\
A:\
with a file name chosen from the list:
Mis Fotos.exe
Cancion.exe
Juego.exe
Pamela Anderson.exe
Fotos Locas.exe
Programa Automatizaci.exe
Importante.exe
Diablo II.exe
Resident Evil.exe
Registros IFE.exe
Mery Christmas.exe
In order to run automatically each time Windows is started, the worm sets the following registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Protection = C:\Windows\system\Protection.exe
W32/Febelneck-A may attempt to spread by emailing itself through Microsoft Outlook Express with one of the following subject lines:
Haber si te gustan mis fotos :|
Haber que te parezco ?
Hola, Pues aqui te las mando
No te vayas a burlar de mi :(
Soy de cara bonita :))
W32/Febelneck-A will attempt to disable anti-virus products by closing their windows and disabling their autostart registry entries.
The worm will attempt to change the name of the infected computer to "Nebelfleck"
W32/Febelneck-A may attempt to delete all files on the infected computer's hard-drive by running a file located at C:\obj.bat. This file should be deleted.