Email-Worm.BAT.XPMsg
From Total Malware Info
Email worm, which spreads its body in attachments to email-messages. It sends itself to all found on victims machines email addresses. Worm is a HTML-page with VBS-script. Its size is 2613 bytes.
Contents |
Installation
Worm infects files with “*.HT*” extensions (such as "*.HTM", "*.HTML" etc.) located on all hard drives. While infecting, worm writes its code to the end of file being infected, except those that contains one of the following string in its body:
XPMsg
Propagation via Email
Mail Subject:
Fw: Nude Pic
Mail Body:
There's some great links at http://www.freeporn.com P.S. Don't tell the boss. :o)
Your PC will be infected while opening such letters.
This worm tests the following registry key before spreading:
[HKCU\Software\Microsoft] "VBS.XPMsg" = "VBS.XPMsg@mm"
If key already exists then worm doesn't send its copy to recepient. In the other case, this worm sends its copy and then creates this key.
Payload
Worm displays the following message after infection:
You've been slammed by VBS/XPMsg@mm, a wonderful new work by Office XP bites! Get used to it! VBS/XPMsg@mm is copyright (c) 2001 Thank you Microsoft! What would this world be without you...
Removal Instructions
- Delete the original worm file (its file name and location depends on the way the worm originally penetrated the target computer).
- Delete email messages with subject "Fw: Nude Pic".
- Restore from backup files with extention "*.HT*".
-
Delete the registry key:
[HKCU\Software\Microsoft] "VBS.XPMsg" = "VBS.XPMsg@mm"
- Use Kaspersky Anti-Virus to delete the Trojan. Update your antivirus databases and perform a full scan of the computer.
