high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 4 November 2004 13:51:28 (GMT) |
| Detected by | All Sophos products |
Sophos beta program
- Endpoint Security and Control 9.0
- Small business solutions 4.0
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Windows NT/2000/XP/2003
In Windows NT/2000/XP/2003 you will also need to edit the following registry entries. The removal of these entries is optional in Windows 95/98/Me. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Sav32
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
NortonUtility
and delete them if they exist.
Close the registry editor.
More Information
W32/Famus-F is a mass-mailing worm.
W32/Famus-F spreads by sending email messages with itself as an attachment. Email addresses to send to are obtained from the infected machine.
Emails are sent with subject
"Mas terrorismo este ano \More terrorism this year"
and contain the following message text:
'Password: "cnn"
Ultimas declaraciones de Bin Laden
Reenvíe este video a todo el mundo.
======================================================
Password: "cnn"
Last speech from Bin Laden
Please forwards this video to everybody.'
W32/Famus-F may display a message box containing the text "File corrupted or bad format". W32/Famus-F is a mass-mailing worm.
W32/Famus-F spreads by sending email messages with itself as an attachment. Email addresses to send to are obtained from the infected machine.
Emails are sent with subject
"Mas terrorismo este ano \More terrorism this year"
and contain the following message text:
'Password: "cnn"
Ultimas declaraciones de Bin Laden
Reenvíe este video a todo el mundo.
======================================================
Password: "cnn"
Last speech from Bin Laden
Please forwards this video to everybody.'
W32/Famus-F also sends an email to a predefined address, giving details of the infected system.
W32/Famus-F may display a message box containing the text "File corrupted or bad format".
W32/Famus-F copies itself to the Windows system folder. The worm may also drop the file SMTP.OCX in the Windows system folder which appears to be harmless.
W32/Famus-F may also drop a component as MICROSOFT OFFICE.PIF in <Start Menu>\Programs\Startup. Further files may be dropped in C:\recycled\.
W32/Famus-F may create the following registry entries in order to run itself on system startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Sav32
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
NortonUtility
|
