i-worm.atiru
Webroot Antivirus: The best protection against viruses, spyware data theft and hackers.
Description:
Details
I-Worm.Atirus
This is a Win32 worm that spreads by sending itself via e-mail to the recipients in a victim's Outlook Address book.
When launched on a 'clean' PC, the worm copies itself to %SYSTEM%\Setup30.exe. The worm also writes an auto-start key, so it will launch each time Windows starts:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Kernel Setup=%SYSTEM%\Setup30.exe
Then, the worm suspends for 5 minutes, then launches one of its payloads depending on system time:
Monday: finds and removes I-Worm.Badtrans
Tuesday: restores default values in Win.ini:
[windows]
Run=
Load=
and sets the following registry key value:
HKCR\exefile\shell\open\command
Default value="%1" %*
Wednesday: finds and removes I-Worm.PrettyPark
Thursday: deletes the following files if they exist:
c:\mirc\mirc.ini
c:\mirc\script.ini
c:\mirc32\mirc.ini
c:\mirc32\script.ini
c:\irc\mirc.ini
c:\irc\script.ini
c:\chat\mirc.ini
c:\chat\script.ini
c:\progra~1\mirc\mirc.ini
c:\progra~1\mirc\script.ini
c:\progra~1\mirc32\mirc.ini
c:\progra~1\mirc32\script.ini
c:\progra~1\irc\mirc.ini
c:\progra~1\irc\script.ini
Friday: finds and removes I-Worm.Sircam.c
Saturday: restores default values in System.ini:
[boot]
Shell=explorer.exe
Sunday: finds and deletes all files with a ".vbs" extension in %WINDOWS% and %SYSTEM% folders.
On September 16, displays the following message:
Antivirus
System protected by I-Worm.Antivirus
Copyright (c) 2001 by aLL3gRo
After executing the payload, the worm checks whether the following registry value is present:
HKLM\Software\Microsoft\Windows\CurrentVersion Install=1
If the value doesn't exist, the worm tries to send itself to the senders of messages that exist in MAPI default client's folders.
The subject of the message sent is "New antivirus tool", and the message also contains the attachment "Antivirus.exe" that is the virus itself, and also contains in the body:
Hey, checkout this new antivirus tool which checks your system for viruses
Copyright @2006 i-worm.atiru