McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Qizy (AVP)

• PE_QUIS.A-O (Trend)

• W32.HLLP.Belzy@mm (Symantec)

• W32/Qizy-A (Sophos)

• W32/Quiz.A (Panda)

• Win32.HLLP.Quizy

• Win32.Quis.A (CA)

Characteristics

-- Update 31st December 2003 --
This threat is considered to be a Low-Profiled risk due to media attention at:
http://news.zdnet.co.uk/software/0,39020381,39118847,00.htm

This worm was submitted to several anti-virus vendors by the virus author, directly.  It is not known to be in the wild.

This email worm mass-mails itself to the first 666 recipients in the Outlook Address Book, using the following email message:

Subject: Merry Christmas!
Body:  You've probably received enough e-cards. Here's a nice Christmas screensaver instead :)
Attachments: xmas.scr

When the attachment is run, a message box is displayed:

The worm drops several files and creates a registry run key to run one of them at startup:

• c:\startup.exe
• c:\xmas.scr
• %SystemDirectory%\jbells.rtx
• %SystemDirectory%\mail.vbs

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "(Default)" = c:\startup.exe

The file that runs at startup is a "quiz" game.  Within a DOS Window, questions are displayed.  If you answer a question correctly, you move on to the next question.  Answer 10 questions right, and a URL is displayed, which leads the way to "information on how to clean your computer".  Navigating to the site in question displays a map of a town, and pictures leading to something hidden in the under brush.  The infected user is supposed to go to this physical location to retrieve the "package".

The worm prepends .exe files on the local system.

Symptoms

Presence of the following files:

• c:\startup.exe
• c:\xmas.scr
• %SystemDirectory%\jbells.rtx
• %SystemDirectory%\mail.vbs

Method of Infection

This virus spreads via email (MAPI), and parasitically infected executables.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Qizy (AVP)

• PE_QUIS.A-O (Trend)

• W32.HLLP.Belzy@mm (Symantec)

• W32/Qizy-A (Sophos)

• W32/Quiz.A (Panda)

• Win32.HLLP.Quizy

• Win32.Quis.A (CA)

Characteristics

Characteristics -

-- Update 31st December 2003 --
This threat is considered to be a Low-Profiled risk due to media attention at:
http://news.zdnet.co.uk/software/0,39020381,39118847,00.htm

This worm was submitted to several anti-virus vendors by the virus author, directly.  It is not known to be in the wild.

This email worm mass-mails itself to the first 666 recipients in the Outlook Address Book, using the following email message:

Subject: Merry Christmas!
Body:  You've probably received enough e-cards. Here's a nice Christmas screensaver instead :)
Attachments: xmas.scr

When the attachment is run, a message box is displayed:

The worm drops several files and creates a registry run key to run one of them at startup:

• c:\startup.exe
• c:\xmas.scr
• %SystemDirectory%\jbells.rtx
• %SystemDirectory%\mail.vbs

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "(Default)" = c:\startup.exe

The file that runs at startup is a "quiz" game.  Within a DOS Window, questions are displayed.  If you answer a question correctly, you move on to the next question.  Answer 10 questions right, and a URL is displayed, which leads the way to "information on how to clean your computer".  Navigating to the site in question displays a map of a town, and pictures leading to something hidden in the under brush.  The infected user is supposed to go to this physical location to retrieve the "package".

The worm prepends .exe files on the local system.

Symptoms

Symptoms -

Presence of the following files:

• c:\startup.exe
• c:\xmas.scr
• %SystemDirectory%\jbells.rtx
• %SystemDirectory%\mail.vbs

Method of Infection

Method of Infection -

This virus spreads via email (MAPI), and parasitically infected executables.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A