W32.Shermnar.B.Worm
Aliases: Trojan.Win32.VB.aw, Troj/VB-AW, Trojan:Win32/VB.AW
Variants: Trojan.VB.AW, Trojan Horse, Win32/VB.AW,
Classification: Malware
Category: Computer Worm
Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 18 Jun 2003
Damage: Low
Characteristics: The W32.Shermnar.B.Worm program is a threat that tries to multiply using the Kazaa peer to peer network. It makes multiple duplicates of itself in the directory.
W32.Shermnar.B.Worm Removal Tool
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
RECOMMENDED:
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean W32.Shermnar.B.Worm from your computer.
More details about W32.Shermnar.B.Worm
When the W32.Shermnar.B.Worm program is opened, it displays a message box and an image that has German text on it. It makes the “directory:%Windir%Fonts^-^”. Then, it makes a few hundred duplicates of itself in the “%Windir%Fonts^-^” folder under different names such as “666.exe”, “Hotmailhack.exe”, “LordOfTheRings3-FullDownloader.exe”, “SIMS-FullDownloader.exe”, “KillOsamaBinLaden-FullGame.exe”, “StarWars2 - CloneAttack - FullDownloader.exe”, and “Necronomikon-is-back.exe”. It also makes files w/ the “3~34” and “Minerva” prefixes followed by the random numbers. Then, it adds the value “DIdir0” = “%Windir%Fonts^-^” to the registry key, to create the new directory available to other “Kazaa” users. It also tries to set itself to open automatically on startup by changing the registry; however, it doesn’t succeed because of a bug in the code.
The application may place its components in varying locations. This is so it will not be easy to detect or delete. The files may also be saved with varying names. It may mimic the names of system files. They may also use random character sequences. The W32.Shermnar.B.Worm software reportedly uses both DLL (Dynamic Link Libraries) and EXE files. Both kinds of files are added to the system registry. The DLL modules are registered as BHO (Browser Helper Object) programs. The EXE files are registered as startup processes.