Sophos

W32/Famus-F

Aliases
  • I-Worm.Famus.c
  • W32/Bilb.worm
  • WORM_LIBR.A
Category
Type
What to do
Prevalence low high

Summary

 
How it spreads
  • Email attachments
Affected operating systems Windows
Characteristics
  • Installs itself in the registry
Protection available since 4 November 2004 13:51:28 (GMT)
Detected by All Sophos products
Download Free virus scan
Download the Threat Detection Test
  • Free virus, spyware, and adware scan
  • Test your existing anti-virus protection
  • Find threats your anti-virus missed

Action

Please follow the instructions for removing worms.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entries. The removal of these entries is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Sav32

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
NortonUtility

and delete them if they exist.

Close the registry editor.

More Information

W32/Famus-F is a mass-mailing worm.

W32/Famus-F spreads by sending email messages with itself as an attachment. Email addresses to send to are obtained from the infected machine.

Emails are sent with subject

"Mas terrorismo este ano \More terrorism this year"
and contain the following message text:

'Password: "cnn"
Ultimas declaraciones de Bin Laden
Reenvíe este video a todo el mundo.
======================================================
Password: "cnn"
Last speech from Bin Laden
Please forwards this video to everybody.'

W32/Famus-F may display a message box containing the text "File corrupted or bad format". W32/Famus-F is a mass-mailing worm.

W32/Famus-F spreads by sending email messages with itself as an attachment. Email addresses to send to are obtained from the infected machine.

Emails are sent with subject
"Mas terrorismo este ano \More terrorism this year"
and contain the following message text:

'Password: "cnn"
Ultimas declaraciones de Bin Laden
Reenvíe este video a todo el mundo.
======================================================
Password: "cnn"
Last speech from Bin Laden
Please forwards this video to everybody.'

W32/Famus-F also sends an email to a predefined address, giving details of the infected system.

W32/Famus-F may display a message box containing the text "File corrupted or bad format".

W32/Famus-F copies itself to the Windows system folder. The worm may also drop the file SMTP.OCX in the Windows system folder which appears to be harmless.

W32/Famus-F may also drop a component as MICROSOFT OFFICE.PIF in <Start Menu>\Programs\Startup. Further files may be dropped in C:\recycled\.

W32/Famus-F may create the following registry entries in order to run itself on system startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Sav32

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
NortonUtility

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer