high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Protection available since | 1 March 2005 13:45:18 (GMT) |
| Last updated | 1 March 2005 19:34:08 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Please contact technical support.
More Information
W32/Assiral-B is a mass-mailing worm.
W32/Assiral-B sends itself to the addresses it finds on the infected computer in emails with the following characteristics:
From address: MSLarissa@Admin.com
Subject line from the following list:
Re: Message
Re: Letter
Re: Information
I LOVE YOU
Re: Your Documents
Re: Account Info
Windows Update
Re: My Letter
Re: Docs
Re: Your Email Info
Message text from the following list:
The message is located in the attachments.
The letter you requested is in the attachments.
Information attached.
Kindly read and reply to my LOVE LETTER in the attachments :-)
The documents you requested are in the attachments.
Info reguarding your Email account is in the attachments.
Dear Windows User, Please download the windows updated included in the attachments.
My letter is in the attachments.
Please read the documents included in the attachments
Your email account is about to expire, please check the attachments for details.
Attachment name from the following list:
Message.exe
Letter.exe
Information.exe
LOVE_LETTER_FOR_YOU.exe
Documents.exe
Attached_Message.exe
Microsoft_Update.exe
Private_Letter.exe
Private_Document.exe
Important_Message.exe
W32/Assiral-B attempts to terminate a number of processes related to security and anti-virus programs.
W32/Assiral-B attempts to delete all DLL and EXE files from the folders C:\WINDOWS\System32, C:\WINDOWS\System and C:\WINDOWS
W32/Assiral-B may display fake error message boxes with the title "System Error" and the text "Invalid memory address: Program terminating."
W32/Assiral-B drops 3 files, C:\MESSAGE_TO_USER.txt, C:\MESSAGE_TO_AVs.txt and MESSAGE_TO_BROPIA.txt containing messages from the virus author. W32/Assiral-B is a mass-mailing worm.
W32/Assiral-B copies itself to the Windows system folder with the filenames CmdPrompt32.pif and MSLARISSA.pif, and to the Windows folder with the filename SP00Lsv32.pif. W32/Assiral-B then sets the following entries in the registry so as to run the copies on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
MSLARISSA
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Cinnabd Prompt32
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
(L4r1$$4) (4nt1) (V1ruz)
W32/Assiral-B also attempts to copy itself to removable, fixed and remote drives with the filename LOVE_LETTER_FOR_YOU.pif.
W32/Assiral-B searches for email addresses in files of type *.HT* in the current folder, in the Windows folder, and in the folder found at the following registry entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Personal
W32/Assiral-B sends itself to the addresses it finds in emails with the following characteristics:
From address: MSLarissa@Admin.com
Subject line from the following list:
Re: Message
Re: Letter
Re: Information
I LOVE YOU
Re: Your Documents
Re: Account Info
Windows Update
Re: My Letter
Re: Docs
Re: Your Email Info
Message text from the following list:
The message is located in the attachments.
The letter you requested is in the attachments.
Information attached.
Kindly read and reply to my LOVE LETTER in the attachments :-)
The documents you requested are in the attachments.
Info reguarding your Email account is in the attachments.
Dear Windows User, Please download the windows updated included in the attachments.
My letter is in the attachments.
Please read the documents included in the attachments
Your email account is about to expire, please check the attachments for details.
Attachment name from the following list:
Message.exe
Letter.exe
Information.exe
LOVE_LETTER_FOR_YOU.exe
Documents.exe
Attached_Message.exe
Microsoft_Update.exe
Private_Letter.exe
Private_Document.exe
Important_Message.exe
W32/Assiral-B attempts to terminate a number of processes related to security and anti-virus programs.
W32/Assiral-B drops and runs a file C:\WINDOWS\WinVBS.vbs, also detected as W32/Assiral-B, which attempts to set the following registry entries in restrict the user's activity on the infected machine:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoRun =
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
DisableRegistryTools =
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoDrives =
67108863
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp\
Disabled =
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
NoAdminPage =
1
W32/Assiral-B attempts to load a hidden instance of Microsoft Internet Explorer and to load a file at http://www.geocities.com/mslarissac.
W32/Assiral-B attempts to delete all DLL and EXE files from the folders C:\WINDOWS\System32, C:\WINDOWS\System and C:\WINDOWS
W32/Assiral-B may display fake error message boxes with the title "System Error" and the text "Invalid memory address: Program terminating."
W32/Assiral-B drops 3 files, C:\MESSAGE_TO_USER.txt, C:\MESSAGE_TO_AVs.txt and MESSAGE_TO_BROPIA.txt.
C:\MESSAGE_TO_USER.txt contains the following text:
Greetz to infected user!
I will survive,
In this moment in time.
Your computer will crash,
So, you will be mine.
I will not crash,
I will not fail.
So, in this moment in time,
I will survive...
- LARISSA AUTHOR : 2-24-05
C:\MESSAGE_TO_AVs.txt contains the following text:
Greetz to AVs!
I wanna be in AV industry when I grow up :-)
----------------------------------------
- LARISSA AUTHOR : 2-24-05
MESSAGE_TO_BROPIA.txt contains the following text:
Hey Bropia.. stop making MSN worms it's stupid...
... lol -- Larissa Anti Bropia... -- Saving the world from BROPIA!!!
- LARISSA AUTHOR : 2-24-05
|
