|
|
|
Top 10 malware reported to Sophos in December 2000
This section helps you to understand how it behaves
W32/Prolin is a worm which uses Microsoft Outlook to spread.
The worm arrives as an attachment to an email message with the subject "A
great Shockwave flash movie". The body of the message contains the text
"Check out this new flash movie that I downloaded just now...It's Great,
Bye".
The attached filename is CREATIVE.EXE. If the attached file is run, the worm
copies itself into C:\CREATIVE.EXE and C:\Windows\Start
Menu\Programs\Startup\CREATIVE.EXE and sends itself as an attachment to all
contacts from your Outlook address book. It also sends an email with the
subject "Job complete" and the text "Got yet another idiot." to a Yahoo
email address.
The worm looks for any files with the extension MP3, JPG and ZIP and moves
them into the C:\ directory. The moved files remain unchanged but the worm
renames them so that the extension is concatenated with the string "change
at least now to Linux", e.g. from "Flowers.jpg" to "Flowers.jpgchange at
least now to Linux".
In order to restore the files they should be moved to their default location
and renamed so that the concatenated string is removed from the filename.
The worm also creates a text file C:\Messageforu.txt which can help to
restore the files. The file contains the following text:
"Hi, guess you have got this message. I have kept a list of files that I
have infected under this. If you are smart enough just reverse back the
process. i could have done far better damage, i could have even completely
wiped you harddisk. Remember this is a warning & get it sound and clear... -
The Penguin"
The file also contains a list of the previous locations for all the renamed
files which were moved to the C:\ directory.
|
|
|
This webpage is optimized for 800 x 600 monitor resolution or above and
the latest web browser. |
|
|
