Home / malware Win32.Scold.A@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Scold.A@mm is also known as I-Worm.Scold, (KAV.
Explanation :
This worm is written in Visual Basic and packed with UPX; it embeds the picture above in JPEG format. It arrives in an email in the following format:
Subject:
Fw: When It´s Cold Outside She Gives Me Warm Inside [whitespaces] [random characters]
Re: When It´s Cold Outside She Gives Me Warm Inside [whitespaces] [random characters]
Body:
You will love this cute picture. or Enjoy this great picture. or Don´t miss this cool picture.
============= Free Online Virus Scan =============
100% VIRUS FREE
No viruses or suspicious files were found in the attached file.
Attachment:[the random characters in the Subject line][random digits].scr
When run, it copies itself as Worm.scr in the Windows folder and creates the registry entry HKLMSoftwareMicrosoftWindowsCurrentVersionRunExeName32 so that Windows runs the worm at every start-up.
It uses Outlook to send identical emails in the format above to:
- the user's contacts in the Address Book;
- email addresses found in .htm/.html files in the folder pointed to by the registry entry HKCUSoftwareMicrosoftInternet ExplorerMainSave Directory;
- contacts found in .ctt files in My Documents.
(It creates a copy of itself in the Windows folder with the random name used for the attachment in order to create the email messages.)
The emails are enqueued in Outlook's Outbox; after being sent, they are deleted.Last update 21 November 2011
