Content
W32/Mandei.worm
- Type
- Virus
- SubType
- Worm
- Discovery Date
- 07/10/2006
- Length
- Varies
- Minimum DAT
- 4803 (07/10/2006)
- Updated DAT
- 5184 (12/12/2007)
- Minimum Engine
- 5.1.00
- Description Added
- 07/10/2006
- Description Modified
- 11/07/2006 8:08 AM (PT)
Tab Navigation
Characteristics
W32/Mandei.worm is an instant messenging worm that propagates over the MSN Messenger targeting the Win32 platform.
When run , the worm may send a message containing a website link to the user's MSN contact list, that could look like the following:
| Voce je viu a montagem q fizero com suas fotos e Eu Particularmente achei uma brincadeira de muito mau gosto... Veja as fotos voce mesmo -->> http://mywebpage.netscape.com/net(hidden)/Fotos.scr |
This link typically contains a PWS-Banker variant that could monitor/steal Internet banking passwords.
After execution, W32/Mandei.worm modifies sets the hidden file attribute on itself, and remain resident in the memory.
Symptoms
The following registry key may be added to execute the trojan on Windows startup:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run\msnmsgr = "%Windir%\System32\msnmsgr.exe"
(Where %Windir% is the Windows folder, e.g. C:\Windows)
Presence of one or more of the following file(s):
- %Windir%\System32\msnmsgr.exe
Method of Infection
This worm propagates over the MSN Messenger network by sending messages to the contact list containing a malicious web link.
Removal
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
Variants
Variants
N/A
All Information
Overview -
W32/Mandei.worm is an instant messenging worm that propagates over the MSN Messenger targeting the Win32 platform.
Characteristics
Characteristics -
W32/Mandei.worm is an instant messenging worm that propagates over the MSN Messenger targeting the Win32 platform.
When run , the worm may send a message containing a website link to the user's MSN contact list, that could look like the following:
| Voce je viu a montagem q fizero com suas fotos e Eu Particularmente achei uma brincadeira de muito mau gosto... Veja as fotos voce mesmo -->> http://mywebpage.netscape.com/net(hidden)/Fotos.scr |
This link typically contains a PWS-Banker variant that could monitor/steal Internet banking passwords.
After execution, W32/Mandei.worm modifies sets the hidden file attribute on itself, and remain resident in the memory.
Symptoms
Symptoms -
The following registry key may be added to execute the trojan on Windows startup:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run\msnmsgr = "%Windir%\System32\msnmsgr.exe"
(Where %Windir% is the Windows folder, e.g. C:\Windows)
Presence of one or more of the following file(s):
- %Windir%\System32\msnmsgr.exe
Method of Infection
Method of Infection -
This worm propagates over the MSN Messenger network by sending messages to the contact list containing a malicious web link.
Removal -
Removal -
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
