Home Education E-BooksTravel Troubleshooting Linux Contact Us About Us
Troubleshooting Tips And Steps
Windows & Hardware Tips
Information On Viruses
Miscellaneous

virus file

VIRUS NAME : W32/Sowsat@MM

VIRUS NAME : W32/Sowsat@MM

Virus Characteristics

This email virus sends itself to addresses extracted from .HTM* files in the Windows directory of the victim machine.

The worm is also capable of spreading via IRC, via a dropped SCRIPT.INI file, which is detected as Mirc/Generic with the 4149 DATs or later.

The worm contains its own SMTP engine, and uses a public SMTP server (address hardcoded within the worm) for mailing. It may arrive in an email formatted in a number of ways:

From: Screensaver-Demo coder (DEMOS@SCREENSAVE.ORG)
Subject: Kewl FX screensaver
Attachment: setupc.exe
Body: A nice FX-screensaver.Better than the last one!

From: AVP-Team (AVP.MAILER@AVP.COM)
Subject: AVP-Virus-Warning
Attachment: setupc.exe
Body: New virus in "The Wild" called "W32/Cow".Spreads through e-mail and IRC.A solution is this free program.Send this message to your friends. Thank you, AVP

From: Your friend (JOHN@YAHOO.COM)
Subject: My cool, litle program
Attachment: setupc.exe
Body: Something I programmed.It's really cool!

From: Crazy Games inc. -New gaming company (Crazygames@crazygamez.com)
Subject: freeware nice game
Attachment: setupc.exe
Body: hya, chaeck this cool freeware!

The worm contains the string:

I-Worm/Cow
[Team A] kicks [Team B]'s ass!

Symptoms

existence of the following Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Cow" = Moooo existence of the Registry keys detailed in the 'Method of Infection' section. Two identical files named SETUPC.EXE and SYSCn.EXE in the Windows directory, whose size matches that listed above. existence of the archive OSCn.ZIP in the Windows directory, containing a copy of SYSC3.EXE (where 'n' is a digit 0-9). Method Of Infection The worm copies itself to the Windows directory as SETUPC.EXE and SYSCn.EXE (n = digit 0-9), and modifies the Registry to run SYSCn.EXE on subsequent system startup, for example: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion_ \Run "Cow" = C:\WINDOWS\SYSC3.EXE Upon restarting, the worm mails itself to email addresses extracted from *.HTM* files in the Windows directory (recursive). The worm checks if WinZip is installed on the victim machine, and, if so, creates a further copy of itself in an archive by setting a Registry key to run WinZip at next startup. The archive, named OSCn.ZIP (n = digit 0-9), is created in the Windows directory.

If you are fed up with any virus and not getting solution of it. mail us on amgroup@skillsheaven.com and please provide all the detail about virus.