W32/Scold-A

Please follow the instructions for removing worms.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM/Software/Microsoft/Windows/CurrentVersion/Run/ExeName32

and delete it if it exists.

Close the registry editor.

W32/Scold-A is a mass mailer that uses Microsoft Outlook to spread.

W32/Scold-A may arrive in the email with the following characteristics:

Subject line: One of -

"When It's Cold Outside She Gives Me Warm Inside"
"Re: When It's Cold Outside She Gives Me Warm Inside"
"Fw: When It's Cold Outside She Gives Me Warm Inside"

- followed by a random number of random characters.

Message text: One of -

"You will love this cute picture."
"Enjoy this great picture."
"Don´t miss this cool picture."

- followed by the rest of the message:
"============= Free Online Virus Scan =============
100% VIRUS FREE
No viruses or suspicious files were found in the attached file. "

The attached file will have a filename constructed from the same characters
that were used in the subject line, followed by a random number and an SCR extension.

When executed W32/Scold-A displays a photo of a seal, copies itself to the Windows folder as Warm.scr and sets following the registry entry with the path to this copy:

HKLM/Software/Microsoft/Windows/CurrentVersion/Run/ExeName32

W32/Scold-A sends itself to all entries from the Outlook Address Book and in addition searches for email addresses in HTM and HTML files from the IE Save folder and CTT files from the MY Documents folder.