VBS/Newley-A

Please follow the instructions for removing worms.

VBS/Newley-A is a simple worm and backdoor Trojan.

VBS/Newley-A attempts to copy itself to the following locations:

C:\WinNT.Dat
C:\Windows\System32\CompuSpeed.vbs
C:\Winnt\System32\CompuSpeed.vbs
C:\Help.cfg
C:\WinNT.DAT

The worm also copies itself to the root folder of drives G: to Z: with the name CompuSpeed.vbs.

The worm attempts to create a user account 'geo' with password 'geo' and to make this an administrator account.

VBS/Newley-A downloads a legitimate network application to the following location:

C:\windows\system32\winntsrv.exe

The downloaded application is then used to provide a telnet server on port 10001.

The Trojan provides a fake uninstall option via the Add or Remove Programs dialog in the Windows Control Panel, called "Geography TX-A". Selecting this uninstall option will cause the process SVCHOST.EXE to be terminated, usually causing the computer to shut down.

VBS/Newley-A attempts to disable Sophos Anti-Virus on-access scanning by deleting the following file:

C:\Program Files\Sophos Sweep For NT\ICMON.EXE

The worm creates the following registry entries in order to run itself on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Geography TX 1.0 NT
C:\Winnt\System32\CompuSpeed.vbs

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Geography TX 1.0 XP
C:\Windows\System32\CompuSpeed.vbs

The worm creates the following registry entry in order to run the Telnet server on startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
NC1565
winntsrv -l -p10001 -d -e cmd.exe -L

The worm creates the following further registry entries:

HKLM\Software\Microsoft\Windows\Currentversion\uninstall\CompuSpeed
DisplayName
Geography TX-A

HKLM\Software\Microsoft\Windows\Currentversion\uninstall\CompuSpeed
UninstallString
taskkill /f /im svchost.exe