Home / malware Win32.Neroma.A@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Neroma.A@mm is also known as Win32.FireButton.A@mm, W32.Neroma@mm, WORM_NEROMA.A.
Explanation :
If you have virus definitions older than 03 September 2003, BitDefender detects this worm as Win32.VB.Generic.
The worm is written in Visual Basic and comes by e-mail.
The message description is:
Subject: It's Near 911!
Attachment: 911.jpg (the actual file name is Nerosys.exe)
Message text: Nice butt baby!
When the worm is executed, it copies itself to Windows directory:
%WINDIR%Nerosys.exe
(%WINDIR% is the Windows directory, and the path becomes for instance: C:WindowsNerosys.exe)
For Windows 95, 98 and Millennium, the worm replaces the shell command in %WINDIR%SYSTEM.INI, under the [Boot] section:
shell=Explorer.exe nerosys.exe
In Windows NT4, 2000, XP and 2003, the worm replaces the registry key:
Key: HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTWinlogon
Subkey: Shell
Value: "Explorer.exe nerosys.exe"
The worm uses Microsoft Outlook mailing system to send mail to all e-mail addresses in the Windows Address Book.
At the beginning of the executable file, you can see the following text: This is Neroma Worm for .::911 : 119::.Last update 21 November 2011
