high
Summary
Summary
Action- More Information
| Included in our products from | February 2001 (3.42) |
|---|---|
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Please read the instructions for removing worms.
At the Windows taskbar, select Start|Settings|Taskbar, then click the Start Menu Programs tab. Click Remove then click Startup. Delete the reference to Creative.exe.
In the C: folder locate the file Messageforu.txt. This gives the previous location of the files that the worm renamed and moved to the C: folder.
Move the files back to their previous locations, and rename them to their previous extensions by removing the text "change at least now to Linux" from the end of each file extension.
More Information
W32/Prolin is a worm which uses Microsoft Outlook to spread.
The worm arrives as an attachment to an email message with the subject "A great Shockwave flash movie". The body of the message contains the text "Check out this new flash movie that I downloaded just now...It's Great, Bye".
The attached filename is CREATIVE.EXE. If the attached file is run, the worm copies itself into C:\CREATIVE.EXE and C:\Windows\Start Menu\Programs\Startup\CREATIVE.EXE and sends itself as an attachment to all contacts from your Outlook address book. It also sends an email with the subject "Job complete" and the text "Got yet another idiot." to a Yahoo email address.
The worm looks for any files with the extension MP3, JPG and ZIP and moves them into the C:\ directory. The moved files remain unchanged but the worm renames them so that the extension is concatenated with the string "change at least now to Linux", e.g. from "Flowers.jpg" to "Flowers.jpgchange at least now to Linux".
In order to restore the files they should be moved to their default location and renamed so that the concatenated string is removed from the filename. The worm also creates a text file C:\Messageforu.txt which can help to restore the files. The file contains the following text:
"Hi, guess you have got this message. I have kept a list of files that I have infected under this. If you are smart enough just reverse back the process. i could have done far better damage, i could have even completely wiped you harddisk. Remember this is a warning & get it sound and clear... - The Penguin"
The file also contains a list of the previous locations for all the renamed files which were moved to the C:\ directory.
|
