McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Update 12/19/2002:

Due to the late appearance of this virus and the extra quality assurance testing required, AVERT decided to include it in the next (4239) weekly DAT update. Unfortunately, this information did not make it into the readme.txt file. If you would like an extra.dat for this threat, please write to extradat@avertlabs.com

This worm copies itself to mapped, network, drives and adds an .SCR extension to local executable file names. When run, a message box is displayed:

The worm copies itself to the current directory as OMOI.SCR and the WINDOWS (%WinDir%) directory as KERNEL32.EXE. A registry run key is created to load the worm at startup:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run "OMOI" = C:\WINDOWS\kernel32.exe

The worm checks the type of each drive with a letter. If the drive type is a network driver, the worm copies itself to that location as OMOI.SCR. The worm also renames one .EXE file in the WINDOWS directory by adding a .SCR extension (ie. DEFRAG.EXE -> DEFRAG.EXE.SCR)

Symptoms

- Presence of OMOI.SCR
- Presence of KERNEL32.EXE in the WINDOWS directory
- .EXE files renamed with the extension, .EXE.SCR

Method of Infection

This worm spreads by copying itself to mapped network drives.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

Update 12/19/2002:

Due to the late appearance of this virus and the extra quality assurance testing required, AVERT decided to include it in the next (4239) weekly DAT update. Unfortunately, this information did not make it into the readme.txt file. If you would like an extra.dat for this threat, please write to extradat@avertlabs.com

This worm copies itself to mapped, network, drives and adds an .SCR extension to local executable file names. When run, a message box is displayed:

The worm copies itself to the current directory as OMOI.SCR and the WINDOWS (%WinDir%) directory as KERNEL32.EXE. A registry run key is created to load the worm at startup:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run "OMOI" = C:\WINDOWS\kernel32.exe

The worm checks the type of each drive with a letter. If the drive type is a network driver, the worm copies itself to that location as OMOI.SCR. The worm also renames one .EXE file in the WINDOWS directory by adding a .SCR extension (ie. DEFRAG.EXE -> DEFRAG.EXE.SCR)

Symptoms

Symptoms -

- Presence of OMOI.SCR
- Presence of KERNEL32.EXE in the WINDOWS directory
- .EXE files renamed with the extension, .EXE.SCR

Method of Infection

Method of Infection -

This worm spreads by copying itself to mapped network drives.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A