W32/LiarVB-A

Please follow the instructions for removing worms.

W32/LiarVB-A is a worm for the Windows platform.

Once installed W32/LiarVB-A spreads through network shares and removable storage devices, including floppy drives and USB keys.

W32/LiarVB-A is a worm for the Windows platform.

Once installed W32/LiarVB-A spreads through network shares and removable storage devices, including floppy drives and USB keys. W32/LiarVB-A copies itself to the root folder of the drive and adds an autorun.inf file.

The file <Root>\autorun.inf is designed to start the worm once the drive is mounted.

W32/LiarVB-A leaves an html file on the infected system with a message about AIDS and the following marquee:

"This file Doesn't make harmful change to your computer. This File is NOT DANGEROUS for your Computer and FlashDisk (USB). This File Doesn't Disturb any Data or Files on your computer and FlashDisk (USB). So Dont be affraid, and Be Happy !"

W32/LiarVB-A copies itself to the following folders:

<Open folder>\<Folder name>.exe
 <Root>\BootEx.exe
<Root>\log.exe
<Windows>\ErrorReport.exe
<Windows>\MonitorMission.run
<Windows>\MonitorSetup.exe
<Windows>\SystemMonitor.exe
<Windows>\Win System.exe
<Windows>\WinSystem
<Windows>\WinSystem.exe
<Windows>\WinSystem32.exe
<Windows>\regedif.exe
<System>\WindowsUpadate.exe
<System>\mscomfig.exe
<System>\msiexece.exe
<System>\rundlI.exe
<System>\WindowsProtection.exe
<System>\msidlI.exe
<System>\msiexee.exe
<System>\regedif32.exe
<System>\scconfig.exe
<System>\winlocon.exe
<System>\wpa.bdlx
<Windows>\windows.exe

W32/LiarVB-A may also create the following files:

<System>\oeminfo.ini
<System>\oemlogo.bmp

W32/LiarVB-A may create the following registry entries:

HKCR\*\shell\Scan for Virus\Command\
<Root>\windows\MonitorMission.run

HKCR\Folder\shell\Scan for Virus\Command\
<Root>\windows\MonitorMission.run

HKCR\Folder\shell\Search\Command\
<Root>\windows\MonitorMission.run

HKCU\Software\KyrentSoft