Virus

VBS/Carewmr.A

Analysis

  • Threat is 3272 bytes and may be named "CLRAV.EXE.vbs" in an effort to trick users into running the file as a component of an Antivirus scanner
  • If threat is executed on a viable host, it may delete several registry keys associated with loading certain system monitor applications, including:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run
    \SystemTray
    \AVPCC
    \NAVW32
    \TrueVector
    \ZoneAlarm Pro

  • Virus attempts to create numerous zero byte files in the root of C: drive in an effort to delete the following folders:

    C:\Norton2003isbad_preferKAVORAVP
    C:\AVP
    C:\NAV
    C:\CHILE
    C:\TEMUCO
    C:\MCAFEE
    C:\ENTELPCS
    C:\GSM1900MHZ
    C:\SONYERICSSON
    C:\CAREFULLY_WHIT_ME
    C:\YOUR_PC_IS_VERY_BAD
    C:\I HATE MELINA
    C:\VBS.CarewMR.a
    C:\Windows is a real virus?
    C:\MELINA_TE_ODIO_MUERETE!
    C:\WindowsXP
    C:\Windows3.11
    C:\Windows98SE
    C:\WindowsME
    C:\Windows 95
    C:\WindowsNT
    C:\Windows2000
    C:\TELLCELL S.A
    C:\PORN
    C:\ORAL_SEX
    C:\BIN_LADEN_FUCKYOU
    C:\ICQ
    C:\PANDA
    C:\NOD32
    C:\TREND
    C:\PC-CILLIN
    C:\AvpM.exe
    C:\Kaspersky_AntiVirus_PersonalPRO_THEBEST!!!!!
    C:\Norton_thePOOR
    C:\Madonna_Sucking_my_dick.avi
    C:\Your_system_is_infected_by_a_virus_jajajajajajaja.jajajaja
    C:\THE_HEURISTIC_OF_NORTON_IS_VERY_BAD_AND_PRODUCE:POSIT
    VES-FALSES

  • In the last case, if the threat is excuted on a Windows NT system, the file is instead a memory stream.
  • Virus attempts to create several folders on drive C:, including:

    C:\Symantec
    C:\KasperskyLabs
    C:\PandaSoftware
    C:\TrendMicro
    C:\Eset-Nod-fucked

  • Threat attempts to delete the folder "C:\Windows"