Calposa is a worm virus spreading via the Internet as an attachment to infected emails as well as through the Kazaa file sharing network. The worm itself is a Windows PE EXE file about 57KB in length and is written in Visual Basic.
The infected email messages have the following attributes:
The worm activates from an infected email only when a user clicks on the attached file. The worm then installs itself to the system and runs its spreading routine and payload.
The worm does not register any of these files neither in system registry auto-run key, nor in any else “auto-run” key or command.
To send infected messages the worm uses MS Outlook and sends messages to all addresses found in Outlook address book.
The worm copies itself to the “C:Program FilesKaZaaMy Shared Folder” directory with following names:
If this directory is a Kazaa file-sharing directory, the worm will spread over the Kazaa network.
The worm writes to the “c:WindowsSystem.ini” file following data:
On April 1st the worm deletes all files in following directories:
C:Windows C:WindowsSystem32 C:WindowsSystem C:Windowsinf C:Program FilesKazaa
then it deletes the file:
and displays the message:
On February 16th the worm displays a red colored picture with a text “ANVX by industry” on it.
On April 2nd the worm displays the message: