McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32.Wullik@mm (Symantec)

• W32/Wukill.A (Norman)

• W32/Wukill.worm.gen

• Win32.Wukill.A (CA)

• WORM_WUKILL.A (Trend)

Characteristics

This is a detection for an Internet worm that spreads by email and floppy disks.

When run, the worm copies itself to %WinDir%\Mstray.exe, where %WinDir% is the Windows directory.  It creates the following registry key in order to run itself at Windows start up:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run "RavTime" = %WinDir%\Mstray.exe

The worm modifies the following registry key to disable viewing of hidden and system files.

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
  Explorer\Advanced "Hidden" = 0

If run from 98/ME systems, it launches the Windows File Manager located in %WinDir%\Winfile.exe.  If run from 2000/XP systems, it displays a fake message box as following:

The worm sends itself to all users in the Windows Address Book and Global Address List via Outlook.  The email has the following characteristics:

Subject: (None)
Body:   This is a progrom from Ms-Dos from Microsoft, It can help you to study Ms-dos.  Don't you want to see ?
Attachment: MShelp.EXE

The worm monitors the current active Explorer window on the desktop.  If the text on the title bar matches its location, it copies itself to another location using a random file name.  It deletes itself from the old location.  The locations the worm copies to include the following:

• %WinDir%\temp
• %WinDir%\font
• %WinDir%\Web
• %WinDir%\help

It updates the registry run key mentioned above with the current location and file name.  If the floppy drive is accessed, it copies itself to floppy as a:\winfile.exe. 

Symptoms

Existence of the registry key and file mentioned above.

Method of Infection

The worm spreads via email and floppy drive.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32.Wullik@mm (Symantec)

• W32/Wukill.A (Norman)

• W32/Wukill.worm.gen

• Win32.Wukill.A (CA)

• WORM_WUKILL.A (Trend)

Characteristics

Characteristics -

This is a detection for an Internet worm that spreads by email and floppy disks.

When run, the worm copies itself to %WinDir%\Mstray.exe, where %WinDir% is the Windows directory.  It creates the following registry key in order to run itself at Windows start up:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run "RavTime" = %WinDir%\Mstray.exe

The worm modifies the following registry key to disable viewing of hidden and system files.

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
  Explorer\Advanced "Hidden" = 0

If run from 98/ME systems, it launches the Windows File Manager located in %WinDir%\Winfile.exe.  If run from 2000/XP systems, it displays a fake message box as following:

The worm sends itself to all users in the Windows Address Book and Global Address List via Outlook.  The email has the following characteristics:

Subject: (None)
Body:   This is a progrom from Ms-Dos from Microsoft, It can help you to study Ms-dos.  Don't you want to see ?
Attachment: MShelp.EXE

The worm monitors the current active Explorer window on the desktop.  If the text on the title bar matches its location, it copies itself to another location using a random file name.  It deletes itself from the old location.  The locations the worm copies to include the following:

• %WinDir%\temp
• %WinDir%\font
• %WinDir%\Web
• %WinDir%\help

It updates the registry run key mentioned above with the current location and file name.  If the floppy drive is accessed, it copies itself to floppy as a:\winfile.exe. 

Symptoms

Symptoms -

Existence of the registry key and file mentioned above.

Method of Infection

Method of Infection -

The worm spreads via email and floppy drive.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A