high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 9 February 2006 04:56:55 (GMT) |
| Last updated | 30 May 2006 07:05:16 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/MsTori-A is a P2P and mass-mailing worm for the Windows platform.
When first run W32/MsTori-A may copy itself to the following locations:
\system.com
\Windo5s.com
Myshared\ToRi-Samples.exe
Myshared\WinSE-x86-patch.com
W32/MsTori-A also searches for a random filename harvested from the Windows folder and copies itself to \<harvested random filename>.
W32/MsTori-A creates the following files:
<current folder>\mstori.dll - detected as W32/MsTori-A
<current folder>\mstori.exe - detected as W32/MsTori-A
\mstori32.bat - this file may be deleted
When run W32/MsTori-A displays a fake message box with the title "Microsoft Office" and the message "Microsoft Outlook Updater".
W32/MsTori-A may spread by sending itself to harvested addresses with the following properties:
Message text chosen from:
'Hi U have a fun
ToRi-Samples Full Strepteases on descktop Free (Only For Best Friend)
VirtuaGirl2 Desktop Strepteases
you can see information to http://www.virtuagirl2.com'
'Hi Security ,...
Please Patched Your Windows By Microsft New Patch(Very Important)
Send Patch Program To All Friends
You can see bug info to www.SecurityFocus.com'
Attachment filenames chosen from:
Myshared\ToRi-Samples.exe
Myshared\WinSE-x86-patch.com
The following registry entry is set to run W32/MsTori-A on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
<random filename>
\<harvested random filename>
|
