I-Worm.Trilissa.f, W32/[email protected]
, Win32.HLLM.Generic.81, W32/Trilissa-F, Win32/[email protected]
WORM_TRILISSA.F, Worm/Trilissa.F1, W32/[email protected]
, Win32:Trilisa-F, I-Worm/Trilisa
Category: Computer Worm
Asia, North and South America, and some parts of Europe and Australia
12 Jul 2002
There are a few variants of W32.Sirhen.Worm. They are all mass mailing worms that are written in the Microsoft VB or Microsoft Visual Basic programming language. When the W32.Sirhen.Worm program opens, it tries to spreads itself to all email addresses in the address book of Microsoft Outlook.
W32.Sirhen.Worm Removal Tool
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean W32.Sirhen.Worm from your computer.
More details about W32.Sirhen.Worm
The W32.Sirhen.Worm program mails itself to all the email addresses in the address book of Microsoft Outlook by making use of Visual Basic script file. The e-mail message has the Subject: “Reverendo”, Message: “El Reverendo del Infierno...”, Attachment: “Reverendo.scr”, or Subject: “SirHenry!!! Mira que salvapantallas mas raro!!”, Message: “Mira a SirHenry!! Jajajaja!! No he visto cosa mas rara ni grande!”, Attachment: SirHenry.scr”. Then, the worm adds the registry key values that refer wo the worm itself and to the Visual Basic script file so that the W32.Sirhen.Worm virus is opened every time you begin Windows. For instance, a variant adds these values “Reverendo Reverendo.scr” or “Church Church.vbs”.
When the W32.Sirhen.Worm program opens, it duplicates itself to “C:\%windir%”. The precise file name can be one of the following “C:\%windir%Reverendo.scr”, “C:\%windir% imexel.scr”, “C:\%windir%Norton.scr”, or “C:\%windir%SirHenry.scr”. The W32.Sirhen.Worm then makes a Visual Basic script file in the “C:\%windir% folder”. The Visual Basic script filenames differ depending on the variant of the worm. It could be one of the following “C:\%windir%Church.vbs”, “C:\%windir%XaR.vbs”, “C:\%windir%Norton.vbs”, or “C:\%windir%Ruin.vbs”. This program is also known for hijacking the user’s web browser. It makes several changes on the Internet settings that are difficult to undo. These changes may include the home page, search page and error page. The user may also be redirected to unsolicited websites. This program can also add some links inside the Favorites and Bookmarks folder of the Web browser. Clicking these links may direct the user to websites that are not secure.