high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 23 November 2004 23:49:01 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Windows NT/2000/XP/2003
In Windows NT/2000/XP/2003 you will also need to edit the following registry entries. The removal of these entries is optional in Windows 95/98/Me. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Messenger6
<Windows system folder>\command.pif
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Svchost
<Windows system folder>\svchosl.pif
and delete them if they exist.
Close the registry editor.
More Information
W32/Anzae-B is a Spanish mass-mailing worm.
When first run the worm copies itself to the Windows system folder with the name command.pif, drops the file svchos1.pif and sets the following registry entries to run itself automatically on log-on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Messenger6
<Windows system folder>\command.pif
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Svchost
<Windows system folder>\svchosl.pif
The worm then creates a copy of svchos1.pif called Paula.pif, drops four more files called ss.exe, sw.exe, sx.exe and sz.exe and creates a ZIP file called m.zip which contains a copy of the virus.
ss.exe is a joke program. sz.exe is a simple ZIP program that is non-malicious. sx.exe and sw.exe are components of the mailing worm.
W32/Anzae-B spreads by sending the ZIP file it has created as an email attachment. The email message sent by the worm has characteristics chosen from the following lists:
Subject line:
re:Crees que puede ser verdad?
re:Amor verdadero
re:xD no me lo puedo creer!!
re:Dejate de rollos y viv
re:Psicolog
re:Neptuno y Mercurio
re:La Luna
re:Voodoo un tanto ps...
re:Eso con queso rima con...xD
re:Como el aire...
Message text:
No veas que cosas xD,luego me cuentas,chao.
Crees en el amor de verdad?,miralo y ya hablamos,ciaooo
Ver es creer!!!!chaoo.
Mira lo que te mando y ya veras que los detalles mas pequenos
son los que importan,ciaoo
Test para ver si andas bien de las neuronassss!xD,luego hablamos,chao.
Que relacion tienen estos planetas?,miralo y luego me cuentas,chao.
Esa moribunda y solitaria Luna,Impresionante!chao.
Sera cierta la magia negra?,sal de dudas y ya me cuentas,chao.
Renvialo a todo que es que se meannn xD,nos vemos!
No comment,xDD ,Nos vemos!!
Attached file:
D-Incognito.zip
Love-Me.zip
EL_rechazo.zip
My life(Mi vida).zip
Psiquico-Mix.zip
Planetario.zip
Moon(Luna).zip
Voodoo!.zip
Rimaz.zip
Para-Brisas.zip
W32/Anzae-B also attempts to delete files from the computer it is running on. The following file extensions are at risk from deletion:
.cpp
.vbp
.vbproj
.frm
.cs
.resx
.vb
.csproj
.sln
.rc
.rc2
.asm
.htm
.html
.php
.asp
.css
.nfm
.dpr
.bdsproj
.pas
.reg
.mp3
.rar
.iso
.nrg
.wav
.doc
.xls
.mdb
.ppt
.rpt
.pdf
.bmp
.jpg
.jpeg
.gif
.pcx
.txt
.c
.h
|
