VBS/Cata-A

Please follow the instructions for disinfecting macro viruses.

You will also need to edit the following registry entry, if it is present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
FileMgr32 = Wscript.exe Chktsk32.vbs

and delete it if it exists.

Close the registry editor.

VBS/Cata-A is a mass-mailing email virus.
The virus may delete image files from network shares. VBS/Cata-A is a VBS mass mailing virus.

On execution the virus copies itself to the Windows system folder as Manutenzione.xls.vbs and Chktsk32.vbs

VBS/Cata-A also creates the autostart registry entry :

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\FileMgr32
= Wscript.exe Chktsk32.vbs

The virus sends email with the following characteristics to all addresses in the address book.

Subject line:
Vostro ordine

Message text:
Salve, vi mando in allegato il vostro ordine del mese precedente.

Attached file:
Manutenzione.xls.vbs

After sending email the virus sets the following registry entry:

HKCU\Software\WSHWC\Catarro\<email address>=WSHWC

to prevent the virus sending another email to the same address.

VBS/Cata-A looks for any network drive containing a Windows system folder and injects viral code into all VBS and VBE files. The virus also replaces any JPG, HTML, MPG, HTM, DOC and AVI files with a copy of the virus named <original file name>.vbs.

On the 17 January the virus will disable the keyboard and mouse of the infected computer.