VBS/Carewmr.A
Analysis
- Threat is 3272 bytes and may be named "CLRAV.EXE.vbs"
in an effort to trick users into running the file
as a component of an Antivirus scanner
- If threat is executed on a viable host, it may delete
several registry keys associated with loading certain
system monitor applications, including:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
\SystemTray
\AVPCC
\NAVW32
\TrueVector
\ZoneAlarm Pro - Virus attempts to create numerous zero byte files
in the root of C: drive in an effort to delete the
following folders:
C:\Norton2003isbad_preferKAVORAVP
C:\AVP
C:\NAV
C:\CHILE
C:\TEMUCO
C:\MCAFEE
C:\ENTELPCS
C:\GSM1900MHZ
C:\SONYERICSSON
C:\CAREFULLY_WHIT_ME
C:\YOUR_PC_IS_VERY_BAD
C:\I HATE MELINA
C:\VBS.CarewMR.a
C:\Windows is a real virus?
C:\MELINA_TE_ODIO_MUERETE!
C:\WindowsXP
C:\Windows3.11
C:\Windows98SE
C:\WindowsME
C:\Windows 95
C:\WindowsNT
C:\Windows2000
C:\TELLCELL S.A
C:\PORN
C:\ORAL_SEX
C:\BIN_LADEN_FUCKYOU
C:\ICQ
C:\PANDA
C:\NOD32
C:\TREND
C:\PC-CILLIN
C:\AvpM.exe
C:\Kaspersky_AntiVirus_PersonalPRO_THEBEST!!!!!
C:\Norton_thePOOR
C:\Madonna_Sucking_my_dick.avi
C:\Your_system_is_infected_by_a_virus_jajajajajajaja.jajajaja
C:\THE_HEURISTIC_OF_NORTON_IS_VERY_BAD_AND_PRODUCE:POSIT
VES-FALSES - In the last case, if the threat is excuted on a
Windows NT system, the file is instead a memory stream.
- Virus attempts to create several folders on drive
C:, including:
C:\Symantec
C:\KasperskyLabs
C:\PandaSoftware
C:\TrendMicro
C:\Eset-Nod-fucked - Threat attempts to delete the folder "C:\Windows"
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |