high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | March 2005 (3.91) |
| Protection available since | 25 January 2005 23:14:46 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Mirsa-B is a mass-mailing email worm.
W32/Mirsa-B may arrive as an attachment in an email with one of the following subject lines:
How NOT to get Promotion
Memorandom to all staff
Urgent Document
Alterations to my last letter
Amendments for...
Extremely Important
Sorry my mistake here's the...
Private and personal
The email body text may be one of the following:
Please read the attached file and get back to me ASAP
It's been ages since I last saw you
Hello, Can you read the file i sent then let me have it back
Cheers
Hey
Read this because i need your opinion
see you latter
Bye
I need you to read this document ASAP
Please read this file
This is for you, so please read it soon
I'll call you soon
I knew you couldn't keep a secret
I think about you all the time
what are you up to these days ?
The attachment will have one of the following filenames:
important.exe, DataBase.exe, Memo.exe, Serious.zip.exe, Protocol.exe, Memorandon.exe
W32/Mirsa-B will spread by emailing itself out to addresses found in the Windows Address Book.
W32/Mirsa-B will attempt to copy itself to the following locations:
/Anthrax.exe
/DataBase.exe
/Ebola.exe
/Important.exe
/Influenza.exe
/Memo.exe
/Memorandon.exe
/promotions.exe
/Protocol.exe
/Ricin.exe
/Serious.exe
/Serious.zip.exe
/Program Files/Microsoft Office/Office/Winword.exe
In order to run automatically each time a user logs on, W32/Mirsa-B will set the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Anthrax
C:\Serious.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Anthrax
C:\Serious.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Justice
C:\Serious.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Four
C:\Serious.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Ebola
C:\Serious.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Ebola
C:\Serious.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Fathers
C:\Serious.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
F4J
C:\Serious.exe
W32/Mirsa-B will modify the WIN.INI file in the Windows folder by adding an entry pointing to "C:\Serious.exe" in the Windows section under the parameters LOAD, OPEN and RUN.
On NT-based systems, the changes will be reflected in the following registry entries:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
C:\Serious.exe
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
OPEN
C:\Serious.exe
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
RUN
C:\Serious.exe
W32/Mirsa-B may add shortcut files to itself in the following Startup
folder locations:
\WINDOWS\All Users\Start Menu\Programs\StartUp\Magic.lnk
\WINDOWS\Start Menu\Magic.LNK
W32/Mirsa-B may attempt to disable the mouse and keyboard and shut down the computer.
W32/Mirsa-B may also attempt to drop the following text to \Windows\Desktop\Fathers4Justice.txt
We are NOW supporting Fathers 4 Justice
LeftPara
Tony Blair: you really should LISTEN to us or we will take further action
VosLar
ManTak
DILENGER
UK Digital Binary Division
MRSA: coded by the UK Digital Binary Division
we support Fathers-4-Justice
The worm may also attempt to create a Fathers-4-Justice URL on the desktop.
|
