Content

VBS/Carewmr.A

Type
Trojan
SubType
VbScript
Discovery Date
10/22/2002
Length
3,292
Minimum DAT
4188 (02/27/2002)
Updated DAT
4188 (02/27/2002)
Minimum Engine
5.1.00
Description Added
10/22/2002
Description Modified
10/23/2002 1:02 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This threat is detected as VBS/Ardin. On executing the script, the following messages are displayed:

Welcome to CLRAV of Kaspersky Labs, press OK or Accept to Start scanning your computer

ERROR!, Code error:3212552, please execute this tool in MS-DOS.

Thank You for prefer Kaspersky Labs Products

If the date is September 1st, the following message will be displayed:

Mr.Carew vuelve otra vez!!,jaja

The trojan then opens the default internet browser to http:\\www.avp.ru. The following registry keys will be deleted:
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\SystemTray
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\AVPCC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\NAVW32
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\TrueVector
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ZoneAlarm Pro
The following 0 byte files will be created:
  • C:\Norton2003isbad_preferKAVORAVP
  • C:\AVP
  • C:\NAV
  • C:\CHILE
  • C:\TEMUCO
  • C:\MCAFEE
  • C:\ENTELPCS
  • C:\GSM1900MHZ
  • C:\SONYERICSSON
  • C:\CAREFULLY_WHIT_ME
  • C:\YOUR_PC_IS_VERY_BAD
  • C:\I HATE MELINA
  • C:\VBS.CarewMR.a
  • C:\Windows is a real virus?
  • C:\MELINA_TE_ODIO_MUERETE!
  • C:\WindowsXP
  • C:\Windows3.11
  • C:\Windows98SE
  • C:\WindowsME
  • C:\Windows 95
  • C:\WindowsNT
  • C:\Windows2000
  • C:\TELLCELL S.A
  • C:\PORN
  • C:\ORAL_SEX
  • C:\BIN_LADEN_F**KYOU
  • C:\ICQ
  • C:\PANDA
  • C:\NOD32
  • C:\TREND
  • C:\PC-CILLIN
  • C:\AvpM.exe
  • C:\Kaspersky_AntiVirus_PersonalPRO_THEBEST!!!!!
  • C:\Norton_thePOOR
  • C:\Madonna_Sucking_my_****.avi
  • C:\Your_system_is_infected_by_a_virus_jajajajajajaja.jajajaja
  • C:\THE_HEURISTIC_OF_NORTON_IS_VERY_BAD_AND_PRODUCE:POSITIVES-FALSES
The following folders will be created:
  • C:\Symantec
  • C:\KasperskyLabs
  • C:\PandaSoftware
  • C:\TrendMicro
  • C:\Eset-Nod-f**ked
The trojan will delete the "C:\Windows" directory. The file CLRAV_Report.log will also be created with the following text:
"Due an error, Code error:3212552, CLRAV has not disinfect your computer For Support please send a e-mail to support@kaspersky.com and please indicate the Code Error."

Symptoms

The presence of the above message, files and directories.

Method of Infection

Executing the VBScript file.

Removal

Use specified engine and DAT files for detection and removal. Delete any file which contains this detection. Delete any folders created by this threat.

Variants

Variants

    N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

  • Trojan.VBS.Carewmr
  • VBS.AVFake (NAV)

Characteristics

Characteristics -

This threat is detected as VBS/Ardin. On executing the script, the following messages are displayed:

Welcome to CLRAV of Kaspersky Labs, press OK or Accept to Start scanning your computer

ERROR!, Code error:3212552, please execute this tool in MS-DOS.

Thank You for prefer Kaspersky Labs Products

If the date is September 1st, the following message will be displayed:

Mr.Carew vuelve otra vez!!,jaja

The trojan then opens the default internet browser to http:\\www.avp.ru. The following registry keys will be deleted:
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\SystemTray
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\AVPCC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\NAVW32
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\TrueVector
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ZoneAlarm Pro
The following 0 byte files will be created:
  • C:\Norton2003isbad_preferKAVORAVP
  • C:\AVP
  • C:\NAV
  • C:\CHILE
  • C:\TEMUCO
  • C:\MCAFEE
  • C:\ENTELPCS
  • C:\GSM1900MHZ
  • C:\SONYERICSSON
  • C:\CAREFULLY_WHIT_ME
  • C:\YOUR_PC_IS_VERY_BAD
  • C:\I HATE MELINA
  • C:\VBS.CarewMR.a
  • C:\Windows is a real virus?
  • C:\MELINA_TE_ODIO_MUERETE!
  • C:\WindowsXP
  • C:\Windows3.11
  • C:\Windows98SE
  • C:\WindowsME
  • C:\Windows 95
  • C:\WindowsNT
  • C:\Windows2000
  • C:\TELLCELL S.A
  • C:\PORN
  • C:\ORAL_SEX
  • C:\BIN_LADEN_F**KYOU
  • C:\ICQ
  • C:\PANDA
  • C:\NOD32
  • C:\TREND
  • C:\PC-CILLIN
  • C:\AvpM.exe
  • C:\Kaspersky_AntiVirus_PersonalPRO_THEBEST!!!!!
  • C:\Norton_thePOOR
  • C:\Madonna_Sucking_my_****.avi
  • C:\Your_system_is_infected_by_a_virus_jajajajajajaja.jajajaja
  • C:\THE_HEURISTIC_OF_NORTON_IS_VERY_BAD_AND_PRODUCE:POSITIVES-FALSES
The following folders will be created:
  • C:\Symantec
  • C:\KasperskyLabs
  • C:\PandaSoftware
  • C:\TrendMicro
  • C:\Eset-Nod-f**ked
The trojan will delete the "C:\Windows" directory. The file CLRAV_Report.log will also be created with the following text:
"Due an error, Code error:3212552, CLRAV has not disinfect your computer For Support please send a e-mail to support@kaspersky.com and please indicate the Code Error."

Symptoms

Symptoms -

The presence of the above message, files and directories.

Method of Infection

Method of Infection -

Executing the VBScript file.

Removal -

Removal -

Use specified engine and DAT files for detection and removal. Delete any file which contains this detection. Delete any folders created by this threat.

Variants

Variants -

    N/A