W32/Winevar-A

Please follow the instructions for removing worms.

Please read the instructions for removing worms.

You will also need to edit the following registry entries.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

and delete any reference to any file you deleted.

You will also need to edit the following registry entry for each user who ran the virus. Each has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:

HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\

and delete any reference to any file you deleted.

You may also delete the following entry (this is optional):

HKCR\Software\Microsoft\DataFactory

Close the registry editor.

Installing the patch

Microsoft has issued a patch which secures against the incorrect MIME header vulnerability and the IFRAME vulnerability. This can be downloaded from http://www.microsoft.com/technet/security/bulletin/MS01-027.asp.
(This patch fixes a number of vulnerabilities in Microsoft's software, including the ones exploited by this worm.)

W32/Winevar-A is a dropper for the W32/Flcss virus and a worm which spreads by emailing itself via SMTP to addresses on the local computer.

The worm copies itself to the Windows system folder as WINXXXX.PIF (where
XXXX represents a random four-digit number) and adds to the following registry entries to run itself on system restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

The worm also drops a copy of itself on the Windows Desktop as EXPLORER.PIF.

W32/Winevar-A drops W32/Flcss within the Windows system folder as WINXXXX.TMP (where XXXX represents a random four-digit number). The file contains the following text within its DOS header: "~ AAVER 2002 in Seoul ~".

Emails have the following characteristics:

From: <registered owner> (defaults to "AntiVirus")
Subject: <registered organisation> (defaults to "Trand Microsoft Inc.")

or

Subject: Re: AVAR(Association of Anti-Virus Asia Researchers)

Message text: "<registered owner> - <registered organisation>"
Attached files:
WINXXXX.TXT (12.6 KB)MUSIC_1.HTM
WINXXXX.GIF (120 BYTES) MUSIC_2.CEO
WINXXXX.PIF

W32/Winevar-A creates several entries within the registry at HKCR\Software\Microsoft\DataFactory, which is a repository of the addresses to which an infected email has been sent.

The HTM file contains a link entitled "Association of Ti-Virus Asia Researchers" which points to www.aavar.org

When run the HTM file adds an entry to the registry so that CEO files are interpreted as EXE files by the operating system.

W32/Winevar-A contains the following text in an encrypted form:

AVAR(Association of Anti-Virus Asia Reseachers) - Report.
Invariably, Anti-Virus Program is very foolish.

W32/Winevar-A attempts to terminate processes containing the following names:
view, debu, scan, mon, vir, iom, ice, anti, fir, prot, secu, dbg, avk, pcc, spy, microsoft, ms, _np, r n, cicer, irmon, smtpsvc, moniker, office, program, explorewclass, antivirus, cillin, nlab, vacc. This appears to be an attempt to disable various anti-virus products which may be running on the infected user's computer.

On system restart W32/Winevar-A displays the message "Make a fool of oneself: What a foolish thing you've done!". If the "OK" button is pressed the worm deletes all deletable files in all folders.

W32/Winevar-A also attempts to launch a denial of service attack on the website belonging to anti-virus vendor Symantec by sending HTTP requests to www.symantec.com every 1 millisecond in an infinite loop.

The worm attempts to exploit a MIME vulnerability in some versions of Microsoft Outlook, Microsoft Outlook Express, and Internet Explorer to allow the executable file to run automatically without the user double-clicking on the attachment. Microsoft has issued a patch which secures against this vulnerability which can be downloaded from http://www.microsoft.com/technet/security/bulletin/MS01-027.asp.
(This patch fixes a number of vulnerabilities in Microsoft's software, including the one exploited by this worm.)