McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Trojan.Sinkin (Symantec)

• Win32.Realphx (CA)

Characteristics

This worm spreads by sending a hyperlink to contacts on your AOL Instant Messenger (AIM) Buddy List.  Following that link directs you to a website that contains Exploit-ObjectData  code, which automatically downloads and installs the W32/Alphx.worm virus.

Upon visiting a malicious site, the file AV.EXE is saved to C:\ and executed. This executable creates a registry run key to load itself at system startup:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "Antivirus" = c:\av.exe

The default start page of Internet Explorer is changed.

• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Start Page" = http://www.realphx.com

Symptoms

Presence of the file C:\av.exe

Method of Infection

This worm spreads via AOL Instant Messenger and (MS03-040) unpatched Internet Explorer browsers.

Removal

All Windows Users :
Use specified engine and DAT files for detection and removal.

Manual Removal Instructions

• Apply the MS03-040 patch
• Delete the following registry keys (Information on deleting registry keys )
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "Antivirus"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Start Page"
• Restart the computer
• Delete the files (if present)
• c:\a.exe
• c:\av.ex
• %WinDir%\av.exe
• %WinDir%\b.exe

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Trojan.Sinkin (Symantec)

• Win32.Realphx (CA)

Characteristics

Characteristics -

This worm spreads by sending a hyperlink to contacts on your AOL Instant Messenger (AIM) Buddy List.  Following that link directs you to a website that contains Exploit-ObjectData  code, which automatically downloads and installs the W32/Alphx.worm virus.

Upon visiting a malicious site, the file AV.EXE is saved to C:\ and executed. This executable creates a registry run key to load itself at system startup:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "Antivirus" = c:\av.exe

The default start page of Internet Explorer is changed.

• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Start Page" = http://www.realphx.com

Symptoms

Symptoms -

Presence of the file C:\av.exe

Method of Infection

Method of Infection -

This worm spreads via AOL Instant Messenger and (MS03-040) unpatched Internet Explorer browsers.

Removal -

Removal -

All Windows Users :
Use specified engine and DAT files for detection and removal.

Manual Removal Instructions

• Apply the MS03-040 patch
• Delete the following registry keys (Information on deleting registry keys )
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "Antivirus"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Start Page"
• Restart the computer
• Delete the files (if present)
• c:\a.exe
• c:\av.ex
• %WinDir%\av.exe
• %WinDir%\b.exe

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A