Email-Worm.VBS.Saros.a, Generic.ScriptWorm.6C510160, VBS/[email protected]
VBS_SAROS.A, W32/Saros-A, Worm/Saros.A.1
Category: Computer Worm
Active & Spreading
Asia, North and South America, and some parts of Europe and Australia
02 Aug 2004
is a worm that spreads through email, file-sharing networks and MIRC.The virus affects Windows Operating System platforms such as Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, and Windows XP.
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean [email protected]
from your computer.
When [email protected]
is run, it attempts to create the file, \WINDOWS\system32\About.hta, which is a harmless HTML file, this file is actually a copy of itself. It also creates and runs a VBScript file that creates registry keys, archive file (which contains the copy of the worm), and sends an email to all the entries in the Microsoft Outlook Address Book. The email comes with “Microsoft Outlook News” as its Subject, a message saying “Microsoft Outlook Update / Bug Fixed - Contact: -----.com” and an attachment named MSOutlookInternetUpdate.exe. This application also places a copy of itself in the Windows directory. This executable file may use a variety of file names. This prevents it from being detected immediately. The software also adds its process to the startup registry key.
The program runs automatically once its download and installation procedure is completed. The presence of the [email protected]
application may result to a slower response of the computer. It may also reduce Internet connection speed of the system. The files utilized by the [email protected]
application are located on the Windows system folder. The program registers its main file as a service process named ActiveX. This allows the application to execute automatically every time the computer boots up.