Home / malware Win32.Neroma.B@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Neroma.B@mm is also known as W32/Neroma-B, (Sophos.
Explanation :
If you have virus definitions older than 05 September 2003, BitDefender detects this worm as Win32.VB.Generic.
The worm is written in Visual Basic and comes by e-mail.
The message description is:
Subject: Time to 911!
Attachment: 119.gif (the actual file name is nrs.exe)
Message text: Hi, Nice butt!
When the worm is executed, it copies itself to Windows directory:
%WINDIR%
rs.exe
(%WINDIR% is the Windows directory, and the path becomes for instance: C:Windows
rs.exe)
For Windows 95, 98 and Millennium, the worm replaces the shell command in %WINDIR%SYSTEM.INI, under the [Boot] section:
"shell=Explorer.exe nrs.exe"
In Windows NT4, 2000, XP and 2003, the worm replaces the registry key:
Key: HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTWinlogon
Subkey: Shell
Value: "Explorer.exe nrs.exe"
The worm uses Microsoft Outlook mailing system to send mail to all e-mail addresses in the Windows Address Book.
At the beginning of the executable file, you can see the following text:
This is a Second Variant of Nemora 911.Last update 21 November 2011
