Content

W32/Cervivec@MM

Type
Virus
SubType
Internet Worm
Discovery Date
03/22/2002
Length
228,872 bytes
Minimum DAT
4194 (03/27/2002)
Updated DAT
4317 (01/21/2004)
Minimum Engine
5.1.00
Description Added
03/22/2002
Description Modified
03/27/2002 2:25 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This worm arrives as a zip file attached to an email, named WORMS.ZIP. Inside the ZIP files is an executable named WORMS.EXE. The EXE is written in the Delphi programming language and packed with the UPX packer. When run, the worm adds a new value "Kernel Loader" to the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run which ensures that the virus runs after every reboot. Then the worm displays the message box:

When the message box is closed, the payload triggers immediately and displays a spectacular image of colored worms eating the contents of the desktop:

The worm harvests ICQ software settings for email addresses.

The email message may, for example, read (text vary, but not much):

Vtip
Cervici
Cau posilam ti cerviky tak se na to podivej (virus to neni)

Symptoms

  • presence of the NTKRNL.EXE file in \WINDOWS\SYSTEM32 or \WINDOWS\SYSTEM
  • presence of the Registry key
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
      Run\Kernel Loader="C:\WINDOWS\system32\ntkrnl.exe -LOADDRIVERS=TRUE"

    • Method of Infection

    Removal

    All Users:
    Use current engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Additional Windows ME/XP removal considerations

    Variants

    Variants

      N/A

    All Information

    Overview -

    This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

    Characteristics

    Characteristics -

    This worm arrives as a zip file attached to an email, named WORMS.ZIP. Inside the ZIP files is an executable named WORMS.EXE. The EXE is written in the Delphi programming language and packed with the UPX packer. When run, the worm adds a new value "Kernel Loader" to the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run which ensures that the virus runs after every reboot. Then the worm displays the message box:

    When the message box is closed, the payload triggers immediately and displays a spectacular image of colored worms eating the contents of the desktop:

    The worm harvests ICQ software settings for email addresses.

    The email message may, for example, read (text vary, but not much):

    Vtip
    Cervici
    Cau posilam ti cerviky tak se na to podivej (virus to neni)

    Symptoms

    Symptoms -

  • presence of the NTKRNL.EXE file in \WINDOWS\SYSTEM32 or \WINDOWS\SYSTEM
  • presence of the Registry key
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
      Run\Kernel Loader="C:\WINDOWS\system32\ntkrnl.exe -LOADDRIVERS=TRUE"

    • Method of Infection

    Method of Infection -

    Removal -

    Removal -

    All Users:
    Use current engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Additional Windows ME/XP removal considerations

    Variants

    Variants -

      N/A