TrendMicro: WORM_NOPIR.B

WORM_NOPIR.B is a non-destructive, memory-resident worm that propagates via peer-to-peer networks. It searches for availabe peer-to-peer applications and then sends copies of itself to all available or online users. This worm is spreading in-the-wild and infecting computers running Windows 95, 98, ME, NT, 2000, and XP.

Upon execution, this memory-resident worm creates the folder %Program Files%\Restore. It then drops a copy of itself in this folder as VXST.EXE. It also drops a copy of itself as %Program Files%\Projects Visual Studio.NET\Nctrup.exe, and searches for and deletes files with the extensions .com and .mp3.

This worm also creates several registry entries that perform the following:

* Ensure its automoatic execution at every Windows startup
* Disable registry tools
* Prevents the user from accessing the Control Panel to edit the registry

This worm does not check for memory-residency, so multiple instances of it may run on a computer system.

If you would like to scan your computer for WORM_NOPIR.B or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com/

WORM_NOPIR.B is detected and cleaned by Trend Micro pattern file #2.591.03 and above.