Aliases: I-Worm.Ciosor (Kaspersky Lab), W32/Ciosor.worm (McAfee),   W32.Ciosor (Symantec),   Win32.HLLM.Gracioso (Doctor Web),   W32/Gracioso (Sophos),   Win32/[email protected] (RAV),   WORM_CIOSOR.A (Trend Micro),   Worm/Ciosor (H+BEDV),   Win32:Cioso (ALWIL),   I-Worm/Gracioso (Grisoft),   [email protected] (SOFTWIN),   W32/ZZZ (Panda),   Win32/Ciosor (Eset)
Variants:  W32/Ciosor.worm, I-Worm.Ciosor, W32/Gracioso, WORM_CIOSOR.A

Classification: Malware
Category: Computer Worm

Status: active
Spreading: Low
Geographical info: Low
Removal: Easy
Platform: W32
Discovered: 06 Nov 2001
Damage: low

Characteristics: The W32.Ciosor worm affects almost all Operating System platforms, which include Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, and Windows XP.

More details about W32.Ciosor

The W32.Ciosor worm allegedly spreads and uses SMTP account engine in order for it to work and send email. For some, it is also considered as Internet Worm. This should be removed immediately to avoid excessive data loss or even computer performance degradation. When the worm is run, it deletes files such as”\Windows\System\Msconfig.exe,”\Windows\System\Regwiz.exe” and “\Windows\System\Regedit.exe.” The file c:\windows\system\regwiz.exe may also be seen running in the Windows' system. It has its own SMTP engine and sends itself to email address with .dbx, .nws, and .eml file types. When this worm is running in the computer, you may see fake email messages with subjects such as ”no es una aplicación Win32 válida [ OK ]” and “Cuidado con los virus!!! Tienes un virus!!! Me lo baje de Internet Una coña de la red,” whilst the email bodies contain the following texts: “Me ha llegado el virus %virusname%, de tu ordenador, ya es la segunda vez Pasa la vacuna que te envío, de Norton Antivirus Y ten mas cuidado la próxima vez,” Un Saludo Por Favor, revise su ordenador, me ha enviado el virus %virusname% Le envío la vacuna facilitada por Norton Antivirus,” Un Saludo Hola, perdona, que te moleste, pero me has enviado un virus, el %virusname% Te envío la vacuna de panda, Ten mas cuidado la próxima vez, “Hola Te envío un fichero que me bajado de Internet, es una broma. Mueve él Ratón por toda la pantalla. No se quita ni pulsando control+alt+supr, Jeje, al final hay que reiniciar.“

Propagation mainly happens through emails and when people click on infected files. You may also see file attachments with any of the following filenames: “mueveraton.exe,” AntiMagistr.exe,”AntiNimda.exe” and “AntiSircam.exe.” It is written in Visual Basic and is also considered as .exe file or an executable file and/or program. It automatically activates from infected email only in case a user clicks on attached file. And so, it is of greatest caution not to click on suspicious, malicious and un-trusted emails.