Kaspersky Threats

Class

Platform

Description

Technical Details

This worm propagates by creating copies of itself on local disks and write-accessible network resources. The worm is a JavaScript script (an HTML file). It is 4 612 bytes in size.

Payload

The worm code will be activated when the user views an infected HTML page using a browser which allows active content to be launched.

In order to infect the victim machine, the worm will:



Search the directories listed below for non-infected HTML files (clean files will not have a string which says at the beginning of the file):

%WinDir%

%System%

%Temp%

The worm then writes its body to the start of all files found.



Search for the following P2P network folders:

C:Program FilesKMDMy Shared Folder
C:Program FilesKaZaAMy Shared Folder
C:Program FilesKaZaA LiteMy Shared Folder
C:Program FilesMorpheusMy Shared Folder
C:Program FilesGroksterMy Grokster
C:Program FilesBearShareShared
C:Program FilesEdonkey2000Incoming
C:ProgrammeKMDMy Shared Folder
C:ProgrammeKaZaAMy Shared Folder
C:ProgrammeKaZaA LiteMy Shared Folder

It copies its body to these folders as “%Template%.jpg.html” (%Template% is a random combination of the words listed below):

Hot
Teen
Sexy
Fuckin
Wet
Super
Black
XXX
Dildo
Asian
Pussy
Lesbian
SexParty
Bitches
Ass

Each time the worm is launched, it will copy itself five time.

Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

Using a text editing program (e.g. Notepad), check all files with an *.HTML extension in the following directories for a string which says at the beginning of the file:

%WinDir%

%System%

%Temp%

If such files are present on the victim machine, replace them with non-infected copies from your backup.

Delete the following files (if they are present):

C:Program FilesKMDMy Shared Folder
C:Program FilesKaZaAMy Shared Folder
C:Program FilesKaZaA LiteMy Shared Folder
C:Program FilesMorpheusMy Shared Folder
C:Program FilesGroksterMy Grokster
C:Program FilesBearShareShared
C:Program FilesEdonkey2000Incoming
C:ProgrammeKMDMy Shared Folder
C:ProgrammeKaZaAMy Shared Folder
C:ProgrammeKaZaA LiteMy Shared Folder

Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).

Find out the statistics of the threats spreading in your region

Class	Email-Worm
Platform	VBS
Description	Technical Details This worm propagates by creating copies of itself on local disks and write-accessible network resources. The worm is a JavaScript script (an HTML file). It is 4 612 bytes in size. Payload The worm code will be activated when the user views an infected HTML page using a browser which allows active content to be launched. In order to infect the victim machine, the worm will:  Search the directories listed below for non-infected HTML files (clean files will not have a string which says at the beginning of the file): %WinDir% %System% %Temp% The worm then writes its body to the start of all files found.  Search for the following P2P network folders: C:Program FilesKMDMy Shared Folder C:Program FilesKaZaAMy Shared Folder C:Program FilesKaZaA LiteMy Shared Folder C:Program FilesMorpheusMy Shared Folder C:Program FilesGroksterMy Grokster C:Program FilesBearShareShared C:Program FilesEdonkey2000Incoming C:ProgrammeKMDMy Shared Folder C:ProgrammeKaZaAMy Shared Folder C:ProgrammeKaZaA LiteMy Shared Folder It copies its body to these folders as “%Template%.jpg.html” (%Template% is a random combination of the words listed below): Hot Teen Sexy Fuckin Wet Super Black XXX Dildo Asian Pussy Lesbian SexParty Bitches Ass Each time the worm is launched, it will copy itself five time. Removal instructions If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program: Using a text editing program (e.g. Notepad), check all files with an *.HTML extension in the following directories for a string which says at the beginning of the file: %WinDir% %System% %Temp% If such files are present on the victim machine, replace them with non-infected copies from your backup. Delete the following files (if they are present): C:Program FilesKMDMy Shared Folder C:Program FilesKaZaAMy Shared Folder C:Program FilesKaZaA LiteMy Shared Folder C:Program FilesMorpheusMy Shared Folder C:Program FilesGroksterMy Grokster C:Program FilesBearShareShared C:Program FilesEdonkey2000Incoming C:ProgrammeKMDMy Shared Folder C:ProgrammeKaZaAMy Shared Folder C:ProgrammeKaZaA LiteMy Shared Folder Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
	Find out the statistics of the threats spreading in your region

Email-Worm.VBS.Nobelman

Technical Details

Payload

Removal instructions