需要修復電腦?
聘請專家
Alias:VBS/Cuerpo.A
Type:Worm 
Size: 
Origin: 
Date:00-00-0000 
Damage:Sent by email. 
VDF Version:6.23.00.00 
Danger:Low 
Distribution:Medium 

DistributionThe worm searches for email addresses in all files with extension: .txt, .na2, .wab, .mbx, .dbx and .dat. It sends itself using Microsoft Outlook. The email looks like this:

Subject: the subject is the attachment name, without extension
Attachment: the file name is variable, but it is the same as the name of the file created in system directory.

Technical DetailsWorm/Cuervo is programmed in Visual Basic. It creates a series of .HTML and .VBS files, it modifies registry entries and it replaces the Internet Explorer start site with its own HTML file.
Cuervo looks into Outlook Inbox for emails with attachments. If it finds such an email, the worm copies its code, in the system directory, into a file named after the attachment found, using the extension .VBS.

After running WINSTART.BAT, the worm tries to copy itself in the following directories:
C:\%WinDIR%\startm~1\programs\startup\
C:\%WinDIR%\menu"~1\programmes\"marrage\
C:\%WinDIR%\menuin~1\programas\inicio\ C:\%WinDIR%\alluse~1\menuin~1\programas\iniciar\ C:\%WinDIR%\startmenü\programme\autostart\

Worm/Cuervo also creates a file in C:\RECYCLED directory and in Windows system directory and registers them:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\%entry% = %filename%.vbs

Then, the worm replaces the Internet Explorer start site with a file named BLANK.HTM from system directory. After the infection, it opens the following Internet site: http://www.freedonation.com.

The following registry entry is made:
HKLM\Software\Microsoft\Internet Explorer\Main\Start Page = C:\%WinDIR%\%SystemDIR%\BLANK.HTML
說明撰寫者 Crony Walker 開啟 2004年6月15日星期二

返回 . . . .

© 2013 Avira Operations GmbH & Co. KG. 保留所有權利.

我的帳戶

https:// 為了你的安全,此視窗已加密。