W32/Ameter. Asunto, W32/Ameter
Über W97M.Killboot, Win32 Worm
Category: Computer Worm
Active & Spreading
North and South America, Asia
24 Sep 2002
The [email protected]
Worm application is characterized by its payload delivery routine which attempts to overwrite all executable files stored in the Windows directory. However, this malware takes exception on the Emm386.exe and Setver.exe files stored in the same location but remain untouched.
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean [email protected]
from your computer.
The [email protected]
program requires the installation of Borland C++ 6.0 runtime libraries for it to run. It overwrites all .exe files except the files Setver.exe and Emm386.exe stored in the %windir% folder. It is also capable of sending itself to an email address contained within the program. It allegedly adds the value brigadaNT to the Windows Registry key for computer systems running under the Microsoft Windows XP, 2000, and NT Operating System platforms. The value points to the location of the original Worm filename. This means that the [email protected]
program is capable of making multiple copies of itself in various locations in the infected hard drive. It is possible that this Worm only allows a single infection instance despite its presence. According to antivirus developers, it checks for the presence of a certain registry key in the Windows Registry. If the entry is not found, the [email protected]
program proceeds to overwriting all executable files and displaying a message box with Window title containing the text Brigada Ocho Bitmap Tools.
One of the results of the infection from the [email protected]
program is that it may send a copy of itself to the contents of the Windows Address Book. However, before it attempts to send spiked email messages, it searches for a predetermined name in the address book. Once it is found, it sends out an email message prompting the recipient to launch the accompanying attachment. When the installation of the [email protected]
program fails, it instructs the recipient to install VB 6.0 tools which it requires to execute. However, if the specific name does not exist in the Windows Address Book, instead of sending out email messages, the [email protected]
program continues by deleting all the contents of the Windows directory including its folders and subfolders.