W32/Combra-B

Category: Viruses and Spyware
Type: Win32 worm
Prevalence: No Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Combra-B is an email worm with downloader Trojan capabilities.

W32/Combra-B will arrive as an HTML email message containing the following text:

Olá <Name> <email address> ,

Seu amigo(a) <email address> dedicou-lhe uma música da Rádio Terra.

Para ouvir a sua musica
Clique aqui!. <fake link>

Caso o link acima esteja com problema:
Clique aqui!. <fake link>

The fake link will appear to point to a legitimate Brazilian website but, if clicked upon, will take the user to a different website. At the time of writing, this website was unavailable.

When run, W32/Combra-B will attempt to display a website using Internet Explorer.

W32/Combra-B will attempt to download and run an executable from a predefined site to C:\windows\system\Explorer.EXE. At the time of writing, this link is not available.

W32/Combra-B then sends out an email to a Brazilian address in order to inform a remote user that the computer has been infected.

W32/Combra-B harvests email addresses from the Windows Address Book as well as Internet Account Manager accounts and sends an HTML email message to any addresses found.

In order to run automatically each time a user logs in, W32/Combra-B will set the following registry entry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
winupdateconn_
<path to executable>