JS/Veruka-A

Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Email attachments
Affected operating systems	Windows
Characteristics	Installs itself in the registry
Protection available since	9 December 2004 05:01:16 (GMT)
Detected by	All Sophos products

Sophos beta program
Register now for our latest beta tests

Endpoint Security and Control 9.0
Small business solutions 4.0

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

More Information

Summary
Action
More Information

JS/Veruka-A is a JavaScript email and IRC worm.

JS/Veruka-A sends itself to email addresses found in Outlook address books.

JS/Veruka-A copies itself into the folders of any IRC clients found on the computer and creates initialisation files to send itself via the IRC network.

JS/Veruka-A deletes any BAT, LNK, PIF, CMD, HTM and VBS files it finds on the computer and replaces them with a simple command to run itself.

JS/Veruka-A creates copies of itself in the Windows folder and attempts to create the following registry entry to run itself automatically on log-on:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
stmha
jilkx\wkfxi.js

JS/Veruka-A sends itself as an attachment to the following email message:

Subject:

[Warning]: Symantec Security Response E-mail Worm Warning

Message Body:

Dear Sir/Madam,We received few reports about a new e-mail worm.
The worm detected as W32.Holyshit.A@mm.
The attachment is the update for this worm.Please run it to update your
AntiVirus.

Attachment name:

Update.js

Get reports about the latest virus and spyware threats delivered to your computer

In this section

JS/Veruka-A

Summary

Action

More Information