Trojan.VBS.Carewmr

Discussion in 'malware problems & news' started by FanJ, Oct 21, 2002.

Thread Status:
Not open for further replies.
  1. FanJ

    FanJ Guest

    Quote from Kaspersky:
    [hr]
    Trojan.VBS.Carewmr
    Carewmr is a dangerous trojan program written in the VBS language. It
    deletes the contents of the "C:\Windows" directory.

    When the trojan program is executed, it shows the following messages:

    "Welcome to CLRAV of Kaspersky Labs, press OK or Accept to Start
    scanning your computer."

    "ERROR!, Code error:3212552, please execute this tool in MS-DOS."

    "Thank You for prefer Kaspersky Labs Products"

    "Carewmr" then opens the "http:\\www.avp.ru" site in the default
    Internet browser.

    On September 1st the trojan program displays the message:

    "Mr.Carew vuelve otra vez!!, jaja"

    To get a more detailed account of this virus, please visit The Kaspersky
    Virus Encyclopedia at:
    http://www.viruslist.com/eng/viruslist.html?id=57487

    [hr]

    Trojan.VBS.Carewmr



    Carewmr is a dangerous trojan program written in the VBS language. It deletes the contents of the "C:\Windows" directory.

    When the trojan program is executed, it shows the following messages:


    "Welcome to CLRAV of Kaspersky Labs, press OK or Accept to Start scanning your computer."
    "ERROR!, Code error:3212552, please execute this tool in MS-DOS."

    "Thank You for prefer Kaspersky Labs Products"


    "Carewmr" then opens the "http:\\www.avp.ru" site in the default Internet browser.

    On September 1st the trojan program displays the message:


    "Mr.Carew vuelve otra vez!!, jaja"
    It also removes the following registry keys:


    "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\SystemTray" "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\AVPCC" "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\NAVW32" "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\TrueVector" "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ZoneAlarm Pro"
    "Carewmr" then creates several files and directories, as listed below.

    Files created:


    "C:\Norton2003isbad_preferKAVORAVP"
    "C:\AVP"
    "C:\NAV"
    "C:\CHILE"
    "C:\TEMUCO"
    "C:\MCAFEE"
    "C:\ENTELPCS"
    "C:\GSM1900MHZ"
    "C:\SONYERICSSON"
    "C:\CAREFULLY_WHIT_ME"
    "C:\YOUR_PC_IS_VERY_BAD"
    "C:\I HATE MELINA"
    "C:\VBS.CarewMR.a"
    "C:\Windows is a real virus?"
    "C:\MELINA_TE_ODIO_MUERETE!"
    "C:\WindowsXP"
    "C:\Windows3.11"
    "C:\Windows98SE"
    "C:\WindowsME"
    "C:\Windows 95"
    "C:\WindowsNT"
    "C:\Windows2000"
    "C:\TELLCELL S.A"
    "C:\PORN"
    "C:\ORAL_SEX"
    "C:\BIN_LADEN_FUCKYOU"
    "C:\ICQ"
    "C:\PANDA"
    "C:\NOD32"
    "C:\TREND"
    "C:\PC-CILLIN"
    "C:\AvpM.exe"
    "C:\Kaspersky_AntiVirus_PersonalPRO_THEBEST!!!!!"
    "C:\Norton_thePOOR"
    "C:\Madonna_Sucking_my_dick.avi"
    "C:\Your_system_is_infected_by_a_virus_jajajajajajaja.jajajaja"
    "C:\THE_HEURISTIC_OF_NORTON_IS_VERY_BAD_AND_PRODUCE:pOSITIVES-FALSES"

    Directories created:


    "C:\Symantec"
    "C:\KasperskyLabs"
    "C:\PandaSoftware"
    "C:\TrendMicro"
    "C:\Eset-Nod-fucked"

    Next the trojan creates a text file named CLRAV_Report.log that has the following contents:


    "Due an error, Code error:3212552, CLRAV has not disinfect your computer"
    "For Support please send a e-mail to support@kaspersky.com and please indicate the Code Error."

    Currently, this trojan program is reported to be "in the wild".
     
    FanJ, Oct 21, 2002
    #1
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...