W32/Updatr.A@mm
| W32/Updatr.A@mm |
Destructivity:  Spreading:  Overall risk:
|
| • Detected by virus detection files published: 12/6/2001 | • Type: Worm |
| • Virus characteristics first published: 12/6/2001 | • Spreading mechanism: Email |
| • Virus characteristics latest update: 12/17/2003 | • Overall risk: Low |
| • Alias: I-Worm.Updater | • Payload: Installs annoying script worm |
| • Infection type: Microsoft Windows 95/98/98 SE/ME/NT 4/2000/XP/2003/Vista |
| Virus type |
Spreading mechanism |
Destructivity and payload |
Additional descriptions |
Detection and removal |
||||||||||
|
This is a new email worm that spreads via Microsoft Outlook. It is written in Visual Basic, and is in addition compressed using the well known packing program UPX. It is 12288 bytes long. At the time of this writing, Norman has received only one confirmed report of Updatr.A from an infected user. We will of course monitor the situation. When run it will copy itself to the Windows directory under the name UPDATE.EXE, and set the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Run Update = C:\WINDOWS\UPDATE.EXE This has the effect that the worm is executed on startup. The worm will also copy a small Visual Basic script worm, VBS/Updatr.A, to the startup directory. There are now three other variants of this worm, W32/Updatr.B@mm, W32/Updatr.C@mm and W32/Updatr.D@mm. |
||||||||||||||