Home / malware Win32.Refoav.A@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Refoav.A@mm is also known as N/A.
Explanation :
The virus arrives attached to email messages looking like the following:
Subject : Fw:Ipresionante
Text : Pues eso simplemente impresionante........
Attachement : foavre.exe
When the attachement is executed, the worm receives control and copies itself to the file c:foavre.exe, then dumps from its body the file c:vbseli.vbs and registers it to load at system startup.
Then the worm gets the list of e-mail addresses from the user's address book and e-mails itself to every one of this addresses, using the SMTP server interlap.com.ar and the username foavre. In addition to spreading, the worm saves information about the registered user name and company, and email addresses into the file c:datospc.dat and attempts to send the file to the virus writer (the address is defecto@hotmail.com). If this routine succeeds, the worm deletes the file c:datospc.dat.
At the first computer reboot or after the execution of C:VBSeli.vbs the virus displays the following message boxes :
Usted ha sido infectado por el virus FOAVRE
Este no es un virus maligno, no se preocue su sistema sera restaurado, y no quedara rastro del virus
Este es un virus de aviso, tenga cuidado con los archivos que recibe y abre
NO A LA GUERRA
Perdone las molestias en breve recibira un correo indicando su numero en la lista de infectados
After that, the virus disinfects the computer by deleting the viral registry key and its own files.Last update 21 November 2011
