W97M.Comical@mm
Discovered on:
February 1, 2002 |
Last Updated on:
February 1, 2002 at 06:47:26 PM
PST |
W97M.Comical@mm is a mass mailing worm that will drop
the VBS File, "C:\Twin.VBS", that will create and run
the EXE file, "C:\Windows\AVW32.EXE". The VBS file will
also create the file "C:\backup.win", where it will
store the recipient email addresses from the Outlook
Address Book.
Type: Macro,
Worm
Infection
Length: One VBA Module
Virus
Definitions: February 4, 2002
Threat
Assessment:
Wild:
Damage:
Distribution:
Technical
description:
W97M.Comical@mm is a mass mailing worm that will drop
the VBS File, "C:\Twin.VBS", that will create and run
the EXE file, "C:\Windows\AVW32.EXE". The VBS file will
also create the file "C:\backup.win", where it will
store the recipient e-mila addresses from the Outlook
Address Book. The executable, "C:\Windows\AVW32.EXE"
will use this file to send the document to all
recipients in the affected user's Outlook Address Book.
The e-mail will have the following
characteristics:
Subject: A comical story for
you.
Body: I send you a comical story found on
the Net. Best Regards. You friend. <infected
user name> Attachment:
comical_story.doc
The Word Document will also
create a copy of itself as
"C:\WINDOWS\NetInfo.Doc.
The Script portion will
be detected as VBS.Comical@mm and the executable portion
will be detected as W32.Comical@mm.
Removal
instructions:
Delete all files detected
as W97M.Comical@mm, VBS.Comical@mm, and W32.Comical@mm.
Also delete "C:\backup.win".
Write-up by: Brett Johnson
|