high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | October 2004 (3.86) |
| Protection available since | 9 September 2004 11:04:27 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Amus-A is a worm for the Windows platform.
In order to run automatically when Windows starts up W32/Amus-A creates the following registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microzoft_Ofiz=C:\WINDOWS\KdzEregli.exe.
W32/Amus-A uses the automation interface to Microsoft Outlook. The worm replicates by including the executable as an email attachment. Subjects used by the virus include:
"Listen and Smile"
"Hey. I beg your pardon. You must listen"
W32/Amus-A attempts to use the Microsoft Speech engine to read the following greeting to 'listening' users:
"How are you? I am back. My name is mister hamsi. I am seeing you. Haaaaaaaa. You must come to turkiye. I am cleaning your computer. 5. 4. 3. 2. 1. 0. Gule. Gule."
During playback, the worm may be performing malicous actions based on the current day of the month:
10th, 23rd - worm removes files matching *.ini from the Windows folder.
2nd, 15th, 17th - worm removes files matching *.dll from the Windows folder.
W32/Amus-A may then alter the following registry entries:
HKCU\Software\Microsoft\Masum\
Who = "OnEmLi_DeGiL"
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\
Start Page = "Konneting du pepil and dizkoneting you. Anlami: Baglansan ne
olacak, baglanmasan ne olacak. Zaten hatlar burada rezalet."
|
