Precisa de ajuda? Peça à comunidade ou contrate um perito.
Acesse a Avira Answers
Alias:W32/SfxDeth.A-mm, W32/Lagel.A
Type:Worm 
Size:54,514 bytes 
Origin:unknown 
Date:12-04-2002 
Damage:Sent by email, spread over local networks 
VDF Version:  
Danger:High 
Distribution:Low 

General DescriptionWorm/Holar.C is an Internet worm, which sends itself by email, using its own SMTP engine and deletes all the data from the local drives D, E, F and G.

Symptoms- Screen dialogues appear (see technical details).
- Outgoing emails, as described below.

DistributionIt sends itself by email as executable .EXE files, using its own SMTP engine, to the email addresses found on the infected computer.

Technical DetailsWorm/Holar.C is an Internet worm, which sends itself by email, using its own SMTP engine. The email addresses are collected from the local .HTM and .HTML files. An email sent by Worm/Holar.C looks like this:

Subject: Fwd: Crazy illegal sex !
Body:

Note: forwarded message attached.

--------------------------------------------------------

Do You Yahoo!?
Yahoo! Finance - Get real-time stock quotes


Forwarded Message [ Save to my Yahoo! Briefcase | Download File ]
From: Sara1987@yahoo.com
To: Virgin_gurlz_N_boyz@yahoogroups.com
Date: 24 Aug 2002 17:11:18 -0000
Subject: Fwd: Crazy illegal Sex


---------------------------------------------------------

Hii

Is it really illegal in da USA?
who knows :P
If u have a weak heart i warn u
DON'T see dis Clip.
Emagine two young children havin
crazy sex fo da first time togetha !
loooool i'm still wonderin where thier
parents were?

Good Fuck , oh sorry :">
i mean Good Luck ;)

Bye

Attachment: iLLeGal.exe

When the attachment is opened, the worm copies itself in the Windows system as 'iLLeGal.exe' and creates the files: 'Mplayer.exe', 'Mmails.dll' and 'smtp.ocx'.

The file "smtp.ocx" is used for email sending. Email addresses collected from .HTM and .HTML files are saved in "Mmails.dll". Then it makes the following registry entry, in order to be activated by every system start:

[HKEY_Local_Machine\Software\Microsoft\Windows\
CurrentVersion\RunServices]
"iLLeGal"="C:\Windows\System\Mplayer.exe"

A second registry entry is used to count the start times:

HKEY_Local_Machine\
"iLLeGal"="X" ('X' is for the times Worm/Holar.C was activated)

When the counter ('X') reaches the value 5, the worm tries to delete all the files from the local drives D, E, F and G. Then, some pictures appear on the screen.

Manual Remove Instructions- for Windows 2000/XP:
In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear. Delete the following files:

* iLLeGal.exe
* Mplayer.exe
* Mmails.dll
* smtp.ocx

Start "regedit" after that and edit the following registry entries:

* [HKEY_Local_Machine\Software\Microsoft\Windows\
CurrentVersion\RunServices]
"iLLeGal"="C:\Windows\System\Mplayer.exe"

* HKEY_Local_Machine\
"iLLeGal"="X" ('X' for counting)

Restart your computer.

- for Windows 9x/ME:
In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear. Delete the following files:

* iLLeGal.exe
* Mplayer.exe
* Mmails.dll
* smtp.ocx

Start "regedit" after that and edit the following registry entries:

* [HKEY_Local_Machine\Software\Microsoft\Windows\
CurrentVersion\RunServices]
"iLLeGal"="C:\Windows\System\Mplayer.exe"

* HKEY_Local_Machine\
"iLLeGal"="X" ('X' for counting)

Restart your computer.
Descrição enviada por Crony Walker em terça-feira, 15 de junho de 2004

Voltar . . . .
https:// Esta janela é criptografada para sua segurança.