Virus Alert! [email protected] Subject: bill caricature

Question

Virus Alert! [email protected] Subject: bill caricature

Answer

This question was answered on March 25, 2002. Much of the information contained herein may have changed since posting.

[email protected] is a mass-mailing worm that uses Microsoft Outlook to spread to all addresses in the Outlook address book It copies itself to C:\Windows \System\Cari.scr and may delete files, depending on the system time.

Originally discovered on 3/21/2002, it has spread at an alarming rate.

Here is what to watch for:

Subject: "bill caricature"

Message:

Hiiiii

How are youuuuuuuu?

look to bill caricature it's vvvery verrrry ffffunny :-) :-)

i promise you will love it? ok

buy

========No Viruse Found========

MCAFEE.COM

--------------------------------------------------------

Attachment: Cari.scr

It displays the following graphic:

<img src="http://computerproblems.com/images/cari.gif" alt="Image displayed in infected messages">

What it does:

The payload of this worm will activate if the worm is run when the system time is between 8:00 A.M and 9:00 A.M.

The worm attempts to set itself to run with Windows by adding the value:

win c:\windows\system\cari.scr

to the registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

It also attempts to delete the following files:

C:\*.*

*.sys

*.vxd

*.ocx

*.nls

d:\*.*

e:\*.*

f:\*.*

As usual, don't open file attachments from ANYONE, especially people that you know, unless you know exactly what it is...

The current versions of anti-virus software can detect and remove this worm, so if you have not updated your virus definition file in the last 30 days, be sure to do so!

Need Help with this Issue?

We help people with technology! It's what we do.
Schedule an Appointment with a location for help!

Author

Posted by Ken of Data Doctors on March 25, 2002