high
Summary
Summary
Action- More Information
| Included in our products from | February 2004 (3.78) |
|---|---|
| Protection available since | 30 December 2003 11:30:49 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Windows NT/2000/XP/2003
In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
and remove any reference to any file you deleted.
Close the registry editor.
More Information
W32/Qizy-A uses VBS/Qizy-A to mail itself to everyone in the Outlook address book.
W32/Qizy-A attempts to prepend itself to any EXE files in the Windows folder, the My Documents folder and the MIRC folder. Any RTX (ring-tone) files in the My Documents folder are replaced with Jingle Bells. Another program, C:\startup.exe, is dropped and the following registry entry is added so that the new program is run on restart:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
The dropped program informs the user of the infection and claims they may be able to disinfect it once they answer ten questions correctly:
-
1. Which animal would Santa have if he actually existed?
2. In which country do I live?
3. Which season do I hate the most?
4. What does antivirus person Graham Cluley have between his toes?
5. What kinda virus is an HLLC virus?
6. Which chipset does a U.S. Robotics 22Mbps Wireless PC
Card have?
7. Which keyboard layout is used in Belgium?
8. In which language did I write Parrot?
9. And Darkness?
10. In the 'Buffy The Vampire Slayer' series, there's a vampire who had a chip in his head for a while. What's his name?
The answers to the questions are:
-
1. reindeer
2. Belgium
3. winter
4. cheese
5. companion
6. acx100
7. azerty
8. assembler
9. tcl
10. Spike
On completing the quiz correctly, the user is advised to go to www.geocities.com/quiz_map for disinfection instructions. The site contains a map and five photos, allegedly giving directions to a 'package' which will provide disinfection.
The W32/Qizy-A worm was written by the Belgian virus writer, Gigabyte. A 19-year-old woman believed to be Gigabyte was arrested in February 2004.
|
