Alias:VBS/Cuerpo.A
Type:Worm 
Size: 
Origin: 
Date:00-00-0000 
Damage:Sent by email. 
VDF Version:6.23.00.00 
Danger:Low 
Distribution:Medium 

DistributionThe worm searches for email addresses in all files with extension: .txt, .na2, .wab, .mbx, .dbx and .dat. It sends itself using Microsoft Outlook. The email looks like this:

Subject: the subject is the attachment name, without extension
Attachment: the file name is variable, but it is the same as the name of the file created in system directory.

Technical DetailsWorm/Cuervo is programmed in Visual Basic. It creates a series of .HTML and .VBS files, it modifies registry entries and it replaces the Internet Explorer start site with its own HTML file.
Cuervo looks into Outlook Inbox for emails with attachments. If it finds such an email, the worm copies its code, in the system directory, into a file named after the attachment found, using the extension .VBS.

After running WINSTART.BAT, the worm tries to copy itself in the following directories:
C:\%WinDIR%\startm~1\programs\startup\
C:\%WinDIR%\menu"~1\programmes\"marrage\
C:\%WinDIR%\menuin~1\programas\inicio\ C:\%WinDIR%\alluse~1\menuin~1\programas\iniciar\ C:\%WinDIR%\startmenü\programme\autostart\

Worm/Cuervo also creates a file in C:\RECYCLED directory and in Windows system directory and registers them:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\%entry% = %filename%.vbs

Then, the worm replaces the Internet Explorer start site with a file named BLANK.HTM from system directory. After the infection, it opens the following Internet site: http://www.freedonation.com.

The following registry entry is made:
HKLM\Software\Microsoft\Internet Explorer\Main\Start Page = C:\%WinDIR%\%SystemDIR%\BLANK.HTML
설명 삽입자 Crony Walker   2004년 6월 15일 화요일

뒤로 . . . .

© 2013 Avira Operations GmbH & Co. KG. All rights reserved.

내 계정

https:// 이 창은 보안을 위해 암호화되었습니다.