W32/Combra-C

Please follow the instructions for removing worms.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
winupdatefiv_
<path and filename of worm>

and delete it if it exists.

Close the registry editor.

W32/Combra-C is an email worm for the Windows platform.

W32/Combra-C will arrive as a greeting card email message, informing the recipient to click on an indicated link to view the greeting card. The email message contains the following text:

Ola <Name of recipient> <Recipient's email address> ,

<Sender's email address> Ihe enviou uma mensagem!

Veja o cartaeo que preparei para voce!

<fake link>

Voce tambem podera visualiza-lo colocando o numero de seu cartao:
<fake link>

The fake link will appear to point to a legitimate website, when if clicked upon, it will download a copy of the worm as a screensaver file. The worm will look up the web address book's email addresses and use that information in turn, to send email messages of a similar nature to spread itself.

W32/Combra-C sets the following registry entry to ensure its automatic execution:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
winupdatefiv_
<path and filename of worm>

The worm will attempt to download and run an executable file from a remote website. The downloaded file is called CRSS3.EXE at the time of writing. This file is a Trojan and is detected by Sophos as Troj/Bancban-CQ.