high
Summary
Summary
Action- More Information
| Detected by | All Sophos products |
|---|---|
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Windows NT/2000/XP
In Windows NT/2000/XP you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft auto update
= winupdate.exe
and delete it if it exists.
Close the registry editor.
More Information
W32/Cult-A is a worm and backdoor Trojan.
W32/Cult-A spreads via file sharing on KaZaA networks and by emailing itself to random email addresses. The email will have the following characteristics:
Subject line: Hi, I sent you an eCard from BlueMountain.com
Message text: To view your eCard, open the attachment If you have any comments or questions, please visit http://www.bluemountain.com/customer/index.pd
Attached file: BlueMountaineCard.pif
When first run, the worm displays a false error message with the text
"The instruction at 0x776456de referenced memory at 0x6235525g3. The memory could not be read Click on OK to terminate the application", copies itself to the Windows System folder as winupdate.exe and creates the following registry entry so that winupdate.exe is run automatically each time Windows is started:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft auto update
= winupdate.exe
The worm creates the folder %System%\Kazaa\, copies itself to this folder as DivX 5.03 Codecs.exe, Download accelarator.exe, PaintShop Pro 7 Crack_By_Force.exe, SMS_sender.exe and ZoneAlarm Pro KeyGen.exe and creates the following registry entry so that the %System%\Kazaa\ folder is shareable on Kazaa networks:
HKCU\Software\Kazaa\LocalContent\Dir0 = 012345:C:\WINDOWS\SYSTEM\kazaa\
W32/Cult-A allows a remote intruder to access and control the computer via IRC channels.
When run, W32/Cult-A tries to connect to a remote IRC server and join a specific channel. W32/Cult-A then runs in the background as a server process, listening for commands to execute.
The worm also creates several registry entries under
HKLM\Software\Microsoft\WDXDriver to store encrypted IRC server addresses.
|
