high
Summary
Summary
Action- More Information
| Detected by | All Sophos products |
|---|---|
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Please read the instructions for removing worms.
Windows NT/2000/XP
In Windows NT/2000/XP you will also need to delete the following registry key for each user who ran the virus. The removal of this key is optional in Windows 95/98/Me.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export Range' panel, click 'All', then save your registry as Backup.
Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the key:
HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\Windows task32 sys
and delete it if it exists.
Locate the HKEY_LOCAL_MACHINE key:
HKLM\Software\RedCell\infected = yes
and delete it if it exists.
Close the registry editor and reboot your computer.
More Information
W32/Pepex-A is a worm which can spread via email, IRC and the KaZaA file sharing network.
W32/Pepex-A copies itself to the Windows system folder as winsysX.exe, where X is a random number with 2 or 3 digits. Then the worm creates the registry entry
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows task32 sys
to point to this copy.
The worm uses an infection marker, creating the registry entry
HKLM\Software\RedCell\infected = yes
To propagate over IRC the worm creates the file script.ini so that the worm is sent to all users who join a channel occupied by the infected user. Additionally the script joins the user to the channel #piecebypiece.
Emails are sent by W32/Pepex-A to addresses harvested from HTM files in the Tempory Internet Files folder. The emails have the following characteristics:
From: Microsoft <information@microsoft.com>
Reply-To: Microsoft <microsoft@microsoft.com>
Subject: Internet Explorer vulnerability patch
or simply:
Subject: Hello
In both cases the message text is "You will find all you need in the attachment" and the attached file is called setup.exe.
To spread via the KaZaA file sharing network, the worm looks for the KaZaA shared folder and copies itself as either icq2002.exe, wincrack.exe, winamp3.exe or mirc6.exe.
|
