W32/Mirsa-A

Aliases	W32/Mirsa@MM WORM_MIRSA.A
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Email attachments
Affected operating systems	Windows
Included in our products from	March 2005 (3.91)
Protection available since	25 January 2005 23:14:46 (GMT)
Detected by	All Sophos products

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

More Information

Summary
Action
More Information

W32/Mirsa-A is a mass-mailing email worm.

W32/Mirsa-A will arrive as an attachment in an email with the following body text:

Please look at the enclosed CV
Its really important that you read this
Thanks

The attachment will have one of the following filenames:

Curriculum.Vitae.DOC.exe, C.V.DOC.exe, CVitae.DOC.exe, CV.DOC.exe, Profile.DOC.exe, Personal.DOC.exe

W32/Mirsa-A will spread by emailing itself out to addresses found in the Windows Address Book.

W32/Mirsa-A will attempt to copy itself to the following locations:

/C.V.DOC.exe
/CV.DOC.exe
/CVitae.DOC.exe
/Curriculum.Vitae.DOC.exe
/Profile.DOC.exe
/mrsa.exe
/system.exe
/windows/Notepad2.exe
/windows/mrsa.exe
/Program Files/Microsoft Office/Office/Winword2.exe
/Program Files/Accessories/Wordpad2.exe
/Program Files/Accessories/Mspaint2.exe

In order to run automatically each time a user logs on, W32/Mirsa-A will set the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Notepad
C:\MRSA.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Explorer
C:\MRSA.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Keyboard
C:\MRSA.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
System
C:\MRSA.exe

W32/Mirsa-A will modify the WIN.INI file in the Windows folder by adding an entry pointing to "c:\MRSA.exe" in the Windows section under the parameters LOAD, OPEN and RUN.

On NT-based systems, the changes will be reflected in the following registry entries:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
c:\MRSA.exe

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
OPEN
c:\MRSA.exe

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
RUN
c:\MRSA.exe

W32/Mirsa-A may add shortcut files to itself in the following Startup folder locations:

\WINDOWS\All Users\Start Menu\Programs\StartUp\MSWord.lnk
\WINDOWS\All Users\Start Menu\Programs\StartUp\New.lnk

W32/Mirsa-A may attempt to drop the following text into a Word document:

Fathers 4 Justice Coded by UK Digital Binary Division UK Government will listen Fathers 4 Justice respect to: RanSid DILENGER NEWORDER KJ VosLar

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Mirsa-A

Summary

Action

More Information