McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Sharpei.a (AVP)

• W32/Sharp (Panda)

• WORM_SHARPEI.A (Trend)

Characteristics

This virus is detected as W32/Godog variant or W32/NGVCK variant with the 4170 DATs or higher. This is considered a LOW risk and is not in the wild.

This concept virus is the first virus to use the C# (pronounced C Sharp) programming language. It runs on systems without the Microsoft .NET framework installed by mass-mailing itself to all users found in the Microsoft Outlook address book. It also infects executable files on systems that have the .NET framework installed by prepending its virus code to the front of the file. It arrives in an email message containing the following information:

Subject: Important: Windows update
Body: Hey, at work we are applying this update because it makes Windows over 50% faster and more secure. I thought I should forward it as you may like it.

Attachment: MS02-010.exe

When the attachment in run, the local system is infected. The MS02-010.exe file is saved to the root directory. The executable first checks if the .NET framework is installed. If it is not, the virus simply drops the file sharp.vbs in the current directory and runs it. The VBScript file carries out the mail routine, deleting any email messages that were successfully sent by the virus. The script is detected as VBS/Scrambler with the 4140 DATs (or higher). The .EXE file also deletes this VBScript file after it executes.

If the .NET framework is installed, the virus prepends .EXE files in the WINDOWS directory and three subdirectories in the PROGRAM FILES folder.

Symptoms

- Presence of C:\MS02-010.exe
- On machines with .NET installed:

• CS.EXE dropped in the %WinDir% directory
• SHARP.VBS is dropped in the STARTUP folder. This VBScript displays a mesage box:

  

• A registry is also created on these systems:
  • HKEY_LOCAL_MACHINE\Software\Sharp=%SHARP.EXE PATH%

Method of Infection

This is the first virus to use the .NET framework and also function without it.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Sharpei.a (AVP)

• W32/Sharp (Panda)

• WORM_SHARPEI.A (Trend)

Characteristics

Characteristics -

This virus is detected as W32/Godog variant or W32/NGVCK variant with the 4170 DATs or higher. This is considered a LOW risk and is not in the wild.

This concept virus is the first virus to use the C# (pronounced C Sharp) programming language. It runs on systems without the Microsoft .NET framework installed by mass-mailing itself to all users found in the Microsoft Outlook address book. It also infects executable files on systems that have the .NET framework installed by prepending its virus code to the front of the file. It arrives in an email message containing the following information:

Subject: Important: Windows update
Body: Hey, at work we are applying this update because it makes Windows over 50% faster and more secure. I thought I should forward it as you may like it.

Attachment: MS02-010.exe

When the attachment in run, the local system is infected. The MS02-010.exe file is saved to the root directory. The executable first checks if the .NET framework is installed. If it is not, the virus simply drops the file sharp.vbs in the current directory and runs it. The VBScript file carries out the mail routine, deleting any email messages that were successfully sent by the virus. The script is detected as VBS/Scrambler with the 4140 DATs (or higher). The .EXE file also deletes this VBScript file after it executes.

If the .NET framework is installed, the virus prepends .EXE files in the WINDOWS directory and three subdirectories in the PROGRAM FILES folder.

Symptoms

Symptoms -

- Presence of C:\MS02-010.exe
- On machines with .NET installed:

• CS.EXE dropped in the %WinDir% directory
• SHARP.VBS is dropped in the STARTUP folder. This VBScript displays a mesage box:

  

• A registry is also created on these systems:
  • HKEY_LOCAL_MACHINE\Software\Sharp=%SHARP.EXE PATH%

Method of Infection

Method of Infection -

This is the first virus to use the .NET framework and also function without it.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A