¿Necesita ayuda? Pregunte a la comunidad o contrate a un experto.
Ir a Avira Answers
Alias:VBS/Cuerpo.A
Type:Worm 
Size: 
Origin: 
Date:00-00-0000 
Damage:Sent by email. 
VDF Version:6.23.00.00 
Danger:Low 
Distribution:Medium 

DistributionThe worm searches for email addresses in all files with extension: .txt, .na2, .wab, .mbx, .dbx and .dat. It sends itself using Microsoft Outlook. The email looks like this:

Subject: the subject is the attachment name, without extension
Attachment: the file name is variable, but it is the same as the name of the file created in system directory.

Technical DetailsWorm/Cuervo is programmed in Visual Basic. It creates a series of .HTML and .VBS files, it modifies registry entries and it replaces the Internet Explorer start site with its own HTML file.
Cuervo looks into Outlook Inbox for emails with attachments. If it finds such an email, the worm copies its code, in the system directory, into a file named after the attachment found, using the extension .VBS.

After running WINSTART.BAT, the worm tries to copy itself in the following directories:
C:\%WinDIR%\startm~1\programs\startup\
C:\%WinDIR%\menu"~1\programmes\"marrage\
C:\%WinDIR%\menuin~1\programas\inicio\ C:\%WinDIR%\alluse~1\menuin~1\programas\iniciar\ C:\%WinDIR%\startmenü\programme\autostart\

Worm/Cuervo also creates a file in C:\RECYCLED directory and in Windows system directory and registers them:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\%entry% = %filename%.vbs

Then, the worm replaces the Internet Explorer start site with a file named BLANK.HTM from system directory. After the infection, it opens the following Internet site: http://www.freedonation.com.

The following registry entry is made:
HKLM\Software\Microsoft\Internet Explorer\Main\Start Page = C:\%WinDIR%\%SystemDIR%\BLANK.HTML
Descripción insertada por Crony Walker el martes, 15 de junio de 2004

Volver . . . .
https:// Esta ventana está cifrada para su seguridad.