high
Summary
Summary
Action- More Information
| Detected by | All Sophos products |
|---|---|
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Please follow the instructions for removing worms.
Please read the instructions for removing worms.
More Information
W32/Shoho-A is a worm which spreads by exploiting a security vulnerability detailed in Microsoft Security Bulletin MS01-027 which may cause the worm to be run when an infected email is viewed. (The patch described in the security bulletin fixes a number of vulnerabilities in Microsoft's software, including the one exploited by this worm.)
The worm spreads as an attachment to an email with the subject
"Welcome to Yahoo! Mail"
The attachment is named
"readme.txt<large number of spaces>.pif"
When the worm is run it will create copies of itself named Winl0g0n.exe in the Windows and Windows system directories. It will also create the file email.txt containing a copy of the email message used by the worm. The worm then creates the registry values
HKLM\Software\Microsoft\Windows\
CurrentVersion\Run\Winl0g0n.exe
and
HKCU\Software\Microsoft\Windows\
CurrentVersion\Run\Winl0g0n.exe
both of which contain the path and filename of a copy of the worm. This ensures that the worm is run next time Windows is started.
The worm then searches the hard disk for addresses to which it can send itself. It will also delete files at random from the directory in which it is running. Note that when the computer is restarted the worm will be run in the Windows directory and may delete files which are required for the correct operation of Windows.
|
