high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 23 November 2004 22:00:27 (GMT) |
| Last updated | 23 November 2004 23:49:01 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Windows NT/2000/XP/2003
In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Svchost
<Windows system folder>svchosl.pif
and delete it if it exists.
Close the registry editor.
More Information
W32/Anzae-C is a Spanish mass-mailing worm.
W32/Anzae-C spreads as a zip file attached to email. The email generated by the worm has characteristics such as:
Subject line:
FW:Impresiona!!!!
FW:Pero si es cierto!!!
FW:Miralo!!!!
Message text:
Si tu me vieras....
Mirame!, jajaja
Te pongo a 100,jajaja
Miralo y me comentas luego,jajajaja
Attached file:
Las_cosas_cambian.zip
No_me_lo_creo.zip
Claro_que_lo_se.zip
Con_mas_amor.zip
W32/Anzae-C is a Spanish mass-mailing worm.
When first run the worm copies itself to the Windows system folder with the names svchosl.pif and paula.pif.
The worm then drops four more files called ss.exe, sw.exe, sx.exe and sz.exe. Ss.exe is a joke program. Sz.exe is a simple ZIP program that is non- malicious. Sx.exe and sw.exe are components of the mailing worm. Sophos's anti-virus products detect the sx.exe component as W32/Anzae-B.
W32/Anzae-C spreads by sending the ZIP file it has created as an email attachment. The email message has characteristics chosen from the following lists:
Subject line:
FW:Impresiona!!!!
FW:Pero si es cierto!!!
FW:Miralo!!!!
FW:Venga que lo disfrutes ;) jajaja
FW:Podr
FW:El amor,el amor,jajaja
FW:Como el aire...xD
Message text:
s de los mismo, pero vale la pena...
s te quise yo :P,jajaja
s dormir??jajaja
:Pero que cosasssssss ,jajajaja
Si tu me vieras....
Mirame!, jajaja
Te pongo a 100,jajaja
Miralo y me comentas luego,jajajaja
Pa q tu vea!jajaja
jajajaja,no pue ser!
Pero que cosasssss!
Esto no me lo creo,joeee , jajajaj
Miralo y reenvia!!!!!jajajaja,comparte le
No comment,xDD ,Nos vemos!!
Attached file:
Las_cosas_cambian.zip
No_me_lo_creo.zip
Claro_que_lo_se.zip
Con_mas_amor.zip
Lo_que_ves.zip
Basta_YA.zip
Nunca_estamos.zip
Siempre_estas_ahi.zip
Para_ti_mas.zip
Lo_que_te_mereces.zip
W32/Anzae-C sets the following registry entry in order to run itself automatically on log-on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Svchost
<Windows system folder>svchosl.pif
W32/Anzae-C also attempts to delete files from the computer it is running on. The following file extensions are at risk from deletion:
.asm
.htm
.html
.php
.asp
.css
.nfm
.dpr
.bdsproj
.pas
.reg
.mp3
.rar
.iso
.nrg
.wav
.doc
.xls
.mdb
.ppt
.rpt
.pdf
.bmp
.jpg
.jpeg
.gif
.pcx
.txt
.bat
.vbs
.log
.msi
.inf
.ini
.dot
.h
.c
|
