W32/Eira.A@mm
| W32/Eira.A@mm |
Destructivity:  Spreading:  Overall risk: 
|
| • Detected by virus detection files published: 11/28/2001 | • Type: Worm |
| • Virus characteristics first published: 11/28/2001 | • Spreading mechanism: Email, Network |
| • Virus characteristics latest update: 12/17/2003 | • Overall risk: Low |
| • Alias: I-Worm.Quamo, Win32.Q4Like.A, Win32.HLLM.Rocket.57344 | • Payload: Destroys files |
| • Infection type: Microsoft Windows 95/98/98 SE/ME/NT 4/2000/XP/2003/Vista |
| Virus type |
Spreading mechanism |
Destructivity and payload |
Additional descriptions |
Detection and removal |
||||||||||
Email characteristics:
Possible subjects are: 1. A brand new game! I hope you enjoy it 2. Something very special 3. I know you will like this 4. Yes, something I can share with you 5. Wait till you see this! When executed it will copy itself to C:\EIRAM\QUAKE4DEMO.EXE, F:\QUAKE4DEMO.EXE, %WINDIR%\QUAKE4DEMO.EXE, %WINDIR%\HONEY.EXE and %WINDIR%\SETUP.EXE. It creates the following registry keys HKLM\Software\Microsoft\Windows\Currentversion\Run Q4 = C:\EIRAM\QUAKE4DEMO.EXE quake = F:\QUAKE4DEMO.EXE HKCU\Software\Microsoft\Windows\Currentversion\Run quake = C:\EIRAM\QUAKE4DEMO.EXE Q4 = F:\QUAKE4DEMO.EXE It will then display a message screen containing two buttons. The "next" button is disabled, so the only option is to press the "cancel" button, in which case the worm will start its emailing routine. |
||||||||||||||