White Papers

W32/Updatr-A / I-Worm.Updater / Win32/Updatr.A@mm / I-WORM.IMELDA.B / Update.VBS (Sophos)

• Tags:
• extension,
• box,
• entry,
• files

Overview Date: Thu, 6 Dec 2001 19:56:52 (GMT)

Name: W32/Updatr-A
Aliases: I-Worm.Updater, Win32/Updatr.A@mm

Type: Win32 worm

At the time of writing Sophos has received no reports from users affected by this worm. However, we have issued this advisory following enquiries to our support department from customers.

Description: W32/Updatr-A emails itself to everyone in the user's address book.

The email subject and attachment names are variable.

The body text of the email reads:

Hi:
This is the file you ask for, Please save it to disk and open this file,
it is very important

When the worm is first run, it copies itself to the Windows directory as Update.exe and creates the registry entry HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Update. The registry entry refers to this file so that it is run automatically each time Windows is started.

Each time the worm runs it displays a message box with the title:

File Open Error

and the text:

Cannot Open files: it does not appear to be a valid archive ...

The worm also creates the script Update.vbs in the StartUp folder.

This script searches for files which have the extension .EXE, .DOC or .VBS. The script then creates a copy of itself with the same name but with an added extension .VBS. For example, if the script finds a file named Frog.exe, it will create a copy named Frog.exe.vbs.

On the 12th of the month, the script will display a message box with the title:

I-WORM.IMELDA.B

and the text:

Hi there.., you are infected by some of IWING creations..,
have a nice day

• 
• Did you find this white paper useful? 1 out of 2 users found this white paper useful

• Subscribe to the IT White Papers Newsletter
• White Paper RSS