McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Urick (AVP)

• W32.Urick.A@mm (Symantec)

• WORM_URICK.A (Trend)

Characteristics

AVERT has yet to receive a field sample of this threat. This worm arrives in an email message containing the following information:

Subject: A Windows Trick
Body: This is a cool Windows Trick. Microsoft has not developed a patch for this because they do not want to.
Execute the file attached to learn more of this Windows Trick.
If it did not work, use a Linux system instead.
The Microsoft Support Team.

Attachment: [varies - name of the file as run by the infected user].exe

When the attachment is run, the worm copies itself to the My Documents folder as attachment filename.exe and to the WINDOWS SYSTEM folder as attachment filename.jpg.exe. A registry run key is created to load the worm at startup:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run\filename=%My Documents%\filename.exe

The worm attempts to send itself to all users found in the Microsoft Outlook address book using MAPI messaging.

Symptoms

If the day of the month is 5,10,15,20,25, or 30 a payload is activated that displays an unclosable message box:

The START BUTTON on the taskbar is grayed out and unclickable. However, the keyboard shortcuts (CTRL - ESC, or the WINDOWS key) still work. A registry key value is also modified that prevents WINDOWS from shutting down properly.

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
  Explorer\Shutdown Setting=2

When attempting to shutdown Windows a message box is displayed:

Method of Infection

This worm spreads via email, mass-mailing itself to users found in the Microsoft Outlook address book.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Urick (AVP)

• W32.Urick.A@mm (Symantec)

• WORM_URICK.A (Trend)

Characteristics

Characteristics -

AVERT has yet to receive a field sample of this threat. This worm arrives in an email message containing the following information:

Subject: A Windows Trick
Body: This is a cool Windows Trick. Microsoft has not developed a patch for this because they do not want to.
Execute the file attached to learn more of this Windows Trick.
If it did not work, use a Linux system instead.
The Microsoft Support Team.

Attachment: [varies - name of the file as run by the infected user].exe

When the attachment is run, the worm copies itself to the My Documents folder as attachment filename.exe and to the WINDOWS SYSTEM folder as attachment filename.jpg.exe. A registry run key is created to load the worm at startup:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run\filename=%My Documents%\filename.exe

The worm attempts to send itself to all users found in the Microsoft Outlook address book using MAPI messaging.

Symptoms

Symptoms -

If the day of the month is 5,10,15,20,25, or 30 a payload is activated that displays an unclosable message box:

The START BUTTON on the taskbar is grayed out and unclickable. However, the keyboard shortcuts (CTRL - ESC, or the WINDOWS key) still work. A registry key value is also modified that prevents WINDOWS from shutting down properly.

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
  Explorer\Shutdown Setting=2

When attempting to shutdown Windows a message box is displayed:

Method of Infection

Method of Infection -

This worm spreads via email, mass-mailing itself to users found in the Microsoft Outlook address book.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A