W32.Reztrict@mm


Aliases: N/A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: North America
Removal: Easy
Platform: W32
Discovered: 11 Jun 2007
Damage: Medium

Characteristics: W32.Reztrict@mm is a mass-mailing worm that infects Windows systems. It may download potentially malicious files on to the infected computer. It then displays a message to announce its presence. The worm is a slow infector, but may cause medium damage if left unremoved.

More details about W32.Reztrict@mm

When the worm is executed, it displays the following message, if the worm already exists on the compromised computer: No abras el virus 2 veces pelotud@!! It then drops and executes the following VB Script “VIRUS v2.0.vbs” found in the Temp folder. It downloads a file from the Internet. It then saves the file on the computer as svchost.exe and executes it. The worm modifies the registry to make sure it loads every time Windows starts. It also enumerates the Windows Messenger contacts and stores them in the file mis contactos.txt. It reads email addresses in a registry subkey and stores email addresses in the file mis contactos.txt. It sends an email to every address gathered from te registry subkey. It even sends the same email to contacts that it finds in Windows Live Messenger.

After gathering information from infected computer, the worm sends an email to an attacker containing all contact information gathered. Afterwards, the worm ends the process: explorer.exe. A third party may have installed the W32.Reztrict@mm program through covert means. Remote users may have downloaded and installed it through a backdoor in the computer. Trojan software may have dropped it in the computer. Worm applications may have also installed it in the system. Worm programs are often used to spread potentially harmful files quickly across network connections. Some malware software writers use deceptive means to spread their programs. They may program the malware application to mimic the behavior of legitimate system files. Others are made to look like games or multimedia files. Some are bundled with popular downloads. Once they are installed by the user, the malware program is also installed.