McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Borzella (AVP)

• W32.Atram@mm (NAV)

• W32.Storiel@mm (NAV)

• WORM_PORKIS.A (Trend)

Characteristics

This mass-mailing worm contains its own SMTP engine, and is designed to use the system default SMTP server for spreading itself to addresses found in the Windows Address Book. The worm failed to mail itself when executed on English/US operating systems. If successfully mailed, strings within the worm reveal the message details to be as follows:

Subject:
  'Divertimento assicurato' or,
  'Leggete urgentemente questa e-mail (se avete tempo da perdere)' or,
  'Storielle'
From: <>
Attachment: 49,664 byte executable (not packed), named:
  PORKIS.EXE or,
  PIPPO.EXE or,
  BAR.EXE

Once executed on the victim machine, the worm displays a series of message boxes (in Italian, progressing through a dialogue). For example, the first message box:

The worm copies itself to the Windows directory as DLLMGR.EXE. It also adds a Registry key to run this copy of the itself at subsequent system startups:

 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\_
  Run "Dll Manager" = C:\WINDOWS\DLLMGR.EXE

Upon restarting, after a small time delay, the worm attempts to connect to the system default SMTP server (retrieved from the Registry), and mail itself to all entries in the Windows Address Book (the location of which is also retrieved from the Registry). As noted above, in testing on English/US operating systems, the worm did connect to the SMTP server, but failed to mail itself successfully.

Symptoms

Existence of the following file:

• C:\WINDOWS\DLLMGR.EXE (49,664 bytes in length).

Method of Infection

The worm infects the victim machine upon its execution, by copying itself to the Windows directory, and hooking the Registry to run at system startup. The worm attempts to mail itself to entries found in the Windows Address Book.

Removal

All Users :
Use specified engine and DAT files for detection and removal. Delete files which contain this detection.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Borzella (AVP)

• W32.Atram@mm (NAV)

• W32.Storiel@mm (NAV)

• WORM_PORKIS.A (Trend)

Characteristics

Characteristics -

This mass-mailing worm contains its own SMTP engine, and is designed to use the system default SMTP server for spreading itself to addresses found in the Windows Address Book. The worm failed to mail itself when executed on English/US operating systems. If successfully mailed, strings within the worm reveal the message details to be as follows:

Subject:
  'Divertimento assicurato' or,
  'Leggete urgentemente questa e-mail (se avete tempo da perdere)' or,
  'Storielle'
From: <>
Attachment: 49,664 byte executable (not packed), named:
  PORKIS.EXE or,
  PIPPO.EXE or,
  BAR.EXE

Once executed on the victim machine, the worm displays a series of message boxes (in Italian, progressing through a dialogue). For example, the first message box:

The worm copies itself to the Windows directory as DLLMGR.EXE. It also adds a Registry key to run this copy of the itself at subsequent system startups:

 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\_
  Run "Dll Manager" = C:\WINDOWS\DLLMGR.EXE

Upon restarting, after a small time delay, the worm attempts to connect to the system default SMTP server (retrieved from the Registry), and mail itself to all entries in the Windows Address Book (the location of which is also retrieved from the Registry). As noted above, in testing on English/US operating systems, the worm did connect to the SMTP server, but failed to mail itself successfully.

Symptoms

Symptoms -

Existence of the following file:

• C:\WINDOWS\DLLMGR.EXE (49,664 bytes in length).

Method of Infection

Method of Infection -

The worm infects the victim machine upon its execution, by copying itself to the Windows directory, and hooking the Registry to run at system startup. The worm attempts to mail itself to entries found in the Windows Address Book.

Removal -

Removal -

All Users :
Use specified engine and DAT files for detection and removal. Delete files which contain this detection.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A