Trojan.VBS.Carewmr

Class Trojan
Platform VBS
Description

Technical Details

Carewmr is a dangerous trojan program written in the VBS language. It deletes the contents of the “C:Windows” directory.

When the trojan program is executed, it shows the following messages:

“Welcome to CLRAV of Kasperskys, press OK or Accept to Start scanning your computer.”

“ERROR!, Code error:3212552, please execute this tool in MS-DOS.”

“Thank You for prefer Kasperskys Products”

“Carewmr” then opens the “http:\www.avp.ru” site in the default Internet browser.

On September 1st the trojan program displays the message:

“Mr.Carew vuelve otra vez!!, jaja”

It also removes the following registry keys:

“HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunSystemTray”
“HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunAVPCC”
“HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunNAVW32”
“HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunTrueVector”
“HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunZoneAlarm Pro”

“Carewmr” then creates several files and directories, as listed below.

Files created:

“C:Norton2003isbad_preferKAVORAVP”
“C:AVP”
“C:NAV”
“C:CHILE”
“C:TEMUCO”
“C:MCAFEE”
“C:ENTELPCS”
“C:GSM1900MHZ”
“C:SONYERICSSON”
“C:CAREFULLY_WHIT_ME”

“C:YOUR_PC_IS_VERY_BAD”
“C:I HATE MELINA”
“C:VBS.CarewMR.a”
“C:Windows is a real virus?”
“C:MELINA_TE_ODIO_MUERETE!”
“C:WindowsXP”
“C:Windows3.11”
“C:Windows98SE”
“C:WindowsME”
“C:Windows 95”
“C:WindowsNT”
“C:Windows2000”
“C:TELLCELL S.A”
“C:PORN”
“C:ORAL_SEX”
“C:BIN_LADEN_FUCKYOU”
“C:ICQ”
“C:PANDA”
“C:NOD32”
“C:TREND”
“C:PC-CILLIN”
“C:AvpM.exe”
“C:Kaspersky_AntiVirus_PersonalPRO_THEBEST!!!!!”
“C:Norton_thePOOR”
“C:Madonna_Sucking_my_dick.avi”
“C:Your_system_is_infected_by_a_virus_jajajajajajaja.jajajaja”
“C:THE_HEURISTIC_OF_NORTON_IS_VERY_BAD_AND_PRODUCE:POSITIVES-FALSES”

Directories created:

“C:Symantec”
“C:KasperskyLabs”
“C:PandaSoftware”
“C:TrendMicro”
“C:Eset-Nod-fucked”

Next the trojan creates a text file named CLRAV_Report.log that has the following contents:

“Due an error, Code error:3212552, CLRAV has not disinfect your computer”
“For Support please send a e-mail to support@kaspersky.com and please indicate the Code Error.”

Currently, this trojan program is reported to be “in the wild”.