Alias:W32/Scold@MM, Win32.Scold.A, W32.Scold@mm
Type:Worm 
Size:28,160 bytes 
Origin:unknown 
Date:12-11-2003 
Damage:sends itself by email 
VDF Version:6.22.00.06 
Danger:Low 
Distribution:Medium 

General DescriptionWorm/Scold.A has a size of 28,160 bytes. When activated, it copies itself in Windows directory as warm.scr and pf17.scr. Then a window with the picture of a baby will appear. The worm spreads itself by email.

Symptoms* increased email traffic

Distribution* sends itself by email

Technical DetailsWhen activated, the worm copies itself in the following directories:

* C:\%Windows%\warm.scr
* C:\%Windows%\pf17.scr

It creates the following registry entry, so that it will be run at the next system start:

HKEY_LOCAL_MACHINE\Software\Microsoft
\Windows\CurrentVersion\Run
"ExeName32"="C:\\WINDOWS\\Warm.scr"

Then it sends itself to all contacts found in Microsoft Outlook Address Book.

A mail message sent by Scold.A looks like this:

Subject:
* When It's Cold Outside She Gives Me Warm Inside <many blanks and a random sign>
* Fw: When It's Cold Outside She Gives Me Warm Inside <many blanks and a random sign>
* Re: When It's Cold Outside She Gives Me Warm Inside <many blanks and a random sign>

Body:
* You will love this cute picture.
* Enjoy this great picture.
* Don't miss this cool picture.

With the following text added:
============= Free Online Virus Scan =============
100% VIRUS FREE
No viruses or suspicious files were found in the attached file.

Attachment: <random name>.scr

Manual Remove Instructions- for Windows 2000/XP:
In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear.

Delete the following files:
* C:\%Windows%\warm.scr
* C:\%Windows%\pf17.scr

Start "regedit" after that and delete the following registry entries:

HKEY_LOCAL_MACHINE\Software\Microsoft
\Windows\CurrentVersion\Run
"ExeName32"="C:\\WINDOWS\\Warm.scr"

Restart your computer.

- for Windows 9x/Me:
In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear.

Delete the following files:

* C:\%Windows%\warm.scr
* C:\%Windows%\pf17.scr

Start "regedit" after that and delete the following registry entries:

* HKEY_LOCAL_MACHINE\Software\Microsoft
\Windows\CurrentVersion\Run
"ExeName32"="C:\\WINDOWS\\Warm.scr"

Restart your computer.
Описание добавил Crony Walker в(о) вторник, 15 июня 2004 г.

Назад . . . .
 
 
 
 

© 2012 Avira Operations GmbH & Co. KG. Все права защищены.