Symantec United States
global sites
products
purchase
service and support
security response
downloads
about symantec
search
feedback


© 1995-2002 Symantec Corporation.
All rights reserved.
Legal Notices
Privacy Policy

security response
Category 1

W97M.Comical@mm

Discovered on: February 1, 2002
Last Updated on: February 1, 2002 at 06:47:26 PM PST

Printer-friendly versionPrinter-friendly version Tell a Friend

W97M.Comical@mm is a mass mailing worm that will drop the VBS File, "C:\Twin.VBS", that will create and run the EXE file, "C:\Windows\AVW32.EXE". The VBS file will also create the file "C:\backup.win", where it will store the recipient email addresses from the Outlook Address Book.

Type: Macro, Worm

Infection Length: One VBA Module

Virus Definitions: February 4, 2002

Threat Assessment:

Low Low Medium
Wild:
Low
Damage:
Low
Distribution:
Medium

Wild:

Damage:

Distribution:

Technical description:

W97M.Comical@mm is a mass mailing worm that will drop the VBS File, "C:\Twin.VBS", that will create and run the EXE file, "C:\Windows\AVW32.EXE". The VBS file will also create the file "C:\backup.win", where it will store the recipient e-mila addresses from the Outlook Address Book. The executable, "C:\Windows\AVW32.EXE" will use this file to send the document to all recipients in the affected user's Outlook Address Book. The e-mail will have the following characteristics:

Subject: A comical story for you.

Body:
I send you a comical story found on the Net.
Best Regards. You friend.
<infected user name>
Attachment: comical_story.doc

The Word Document will also create a copy of itself as "C:\WINDOWS\NetInfo.Doc.

The Script portion will be detected as VBS.Comical@mm and the executable portion will be detected as W32.Comical@mm.

Removal instructions:

Delete all files detected as W97M.Comical@mm, VBS.Comical@mm, and W32.Comical@mm. Also delete "C:\backup.win".


Write-up by: Brett Johnson