McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Roach.b (AVP)

• W32.Efortune.28672@mm (NAV)

• W95/Worm.Nymph@mm (F-Prot)

• Win32.Roach.B@mm (AVX)

Characteristics

This is a mass-mailing, worm virus and IRC trojan. It is very unstable and is unlikely to spread far. It is also related to the W32/Roach@MM worm.

The virus arrives via e-mail with the following information:

Subject: Fw: (Random)
Body:

SMACK!!!

You have been hit

This is the funny-attachment war! You have just been hit and by the rule book you can't hit this person back. To be in the game you need to send this message to five of your friends, try to find some small and funny attachment to send along. If you don't have time use the one you got hit by, go ahead hit someone!

Attachments: SETUP.EXE and FORTUNE.ZIP

This FORTUNE.ZIP file contains COOKIE.EXE and a text file named FILE_ID.DIZ. The text file conatins the text:

                        FortuneCookie 32 - Version 1.0
                                * FREEWARE *

DESCRIPTION:
============

        FortuneCookie 32 is a Windows 32 version of the classical
fortune cookies you can get at some restaurants. It's very simple
double clicking on the cookie.exe file will bring up a fortune cookie.
        This program is freeware so feel free to send out a word of
wisdom to your friends!

A copy of the virus is saved to the file DCCOM32.EXE in the %WinDir%\SYSTEM directory and a registry run key is created to load the virus at startup:

HKLM\Software\Microsoft\CurrentVersion\
Run\dcomdriver=%WinDir%\SYSTEM\DCCOM32.EXE

The virus also saves a zipped copy of itself to %WinDir%\SYSTEM\EGGCASE.ATT, for use in further mailing.

Symptoms

Presence of %WinDir%\SYSTEM\DCCOM32.EXE, or EGGCASE.ATT

Method of Infection

This worm arrives as an email attachment, often named: SETUP.EXE. Executing this attachment and rebooting your system infects your machine.

Removal

All Windows Users:
Use current engine and DAT files for detection and removal.

Manual Removal Instructions

Delete the registry key(s) as mentioned above
Information on deleting registry keys

Restart the computer

Delete the files mentioned above

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Roach.b (AVP)

• W32.Efortune.28672@mm (NAV)

• W95/Worm.Nymph@mm (F-Prot)

• Win32.Roach.B@mm (AVX)

Characteristics

Characteristics -

This is a mass-mailing, worm virus and IRC trojan. It is very unstable and is unlikely to spread far. It is also related to the W32/Roach@MM worm.

The virus arrives via e-mail with the following information:

Subject: Fw: (Random)
Body:

SMACK!!!

You have been hit

This is the funny-attachment war! You have just been hit and by the rule book you can't hit this person back. To be in the game you need to send this message to five of your friends, try to find some small and funny attachment to send along. If you don't have time use the one you got hit by, go ahead hit someone!

Attachments: SETUP.EXE and FORTUNE.ZIP

This FORTUNE.ZIP file contains COOKIE.EXE and a text file named FILE_ID.DIZ. The text file conatins the text:

                        FortuneCookie 32 - Version 1.0
                                * FREEWARE *

DESCRIPTION:
============

        FortuneCookie 32 is a Windows 32 version of the classical
fortune cookies you can get at some restaurants. It's very simple
double clicking on the cookie.exe file will bring up a fortune cookie.
        This program is freeware so feel free to send out a word of
wisdom to your friends!

A copy of the virus is saved to the file DCCOM32.EXE in the %WinDir%\SYSTEM directory and a registry run key is created to load the virus at startup:

HKLM\Software\Microsoft\CurrentVersion\
Run\dcomdriver=%WinDir%\SYSTEM\DCCOM32.EXE

The virus also saves a zipped copy of itself to %WinDir%\SYSTEM\EGGCASE.ATT, for use in further mailing.

Symptoms

Symptoms -

Presence of %WinDir%\SYSTEM\DCCOM32.EXE, or EGGCASE.ATT

Method of Infection

Method of Infection -

This worm arrives as an email attachment, often named: SETUP.EXE. Executing this attachment and rebooting your system infects your machine.

Removal -

Removal -

All Windows Users:
Use current engine and DAT files for detection and removal.

Manual Removal Instructions

Delete the registry key(s) as mentioned above
Information on deleting registry keys

Restart the computer

Delete the files mentioned above

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A