Trojan.VBS.Carewmr

Discussion in 'malware problems & news' started by FanJ, Oct 21, 2002.

Thread Status:
Not open for further replies.
  1. FanJ

    FanJ Guest

    Quote from Kaspersky:
    [hr]
    Trojan.VBS.Carewmr
    Carewmr is a dangerous trojan program written in the VBS language. It
    deletes the contents of the "C:\Windows" directory.

    When the trojan program is executed, it shows the following messages:

    "Welcome to CLRAV of Kaspersky Labs, press OK or Accept to Start
    scanning your computer."

    "ERROR!, Code error:3212552, please execute this tool in MS-DOS."

    "Thank You for prefer Kaspersky Labs Products"

    "Carewmr" then opens the "http:\\www.avp.ru" site in the default
    Internet browser.

    On September 1st the trojan program displays the message:

    "Mr.Carew vuelve otra vez!!, jaja"

    To get a more detailed account of this virus, please visit The Kaspersky
    Virus Encyclopedia at:
    http://www.viruslist.com/eng/viruslist.html?id=57487

    [hr]

    Trojan.VBS.Carewmr



    Carewmr is a dangerous trojan program written in the VBS language. It deletes the contents of the "C:\Windows" directory.

    When the trojan program is executed, it shows the following messages:


    "Welcome to CLRAV of Kaspersky Labs, press OK or Accept to Start scanning your computer."
    "ERROR!, Code error:3212552, please execute this tool in MS-DOS."

    "Thank You for prefer Kaspersky Labs Products"


    "Carewmr" then opens the "http:\\www.avp.ru" site in the default Internet browser.

    On September 1st the trojan program displays the message:


    "Mr.Carew vuelve otra vez!!, jaja"
    It also removes the following registry keys:


    "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\SystemTray" "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\AVPCC" "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\NAVW32" "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\TrueVector" "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ZoneAlarm Pro"
    "Carewmr" then creates several files and directories, as listed below.

    Files created:


    "C:\Norton2003isbad_preferKAVORAVP"
    "C:\AVP"
    "C:\NAV"
    "C:\CHILE"
    "C:\TEMUCO"
    "C:\MCAFEE"
    "C:\ENTELPCS"
    "C:\GSM1900MHZ"
    "C:\SONYERICSSON"
    "C:\CAREFULLY_WHIT_ME"
    "C:\YOUR_PC_IS_VERY_BAD"
    "C:\I HATE MELINA"
    "C:\VBS.CarewMR.a"
    "C:\Windows is a real virus?"
    "C:\MELINA_TE_ODIO_MUERETE!"
    "C:\WindowsXP"
    "C:\Windows3.11"
    "C:\Windows98SE"
    "C:\WindowsME"
    "C:\Windows 95"
    "C:\WindowsNT"
    "C:\Windows2000"
    "C:\TELLCELL S.A"
    "C:\PORN"
    "C:\ORAL_SEX"
    "C:\BIN_LADEN_FUCKYOU"
    "C:\ICQ"
    "C:\PANDA"
    "C:\NOD32"
    "C:\TREND"
    "C:\PC-CILLIN"
    "C:\AvpM.exe"
    "C:\Kaspersky_AntiVirus_PersonalPRO_THEBEST!!!!!"
    "C:\Norton_thePOOR"
    "C:\Madonna_Sucking_my_dick.avi"
    "C:\Your_system_is_infected_by_a_virus_jajajajajajaja.jajajaja"
    "C:\THE_HEURISTIC_OF_NORTON_IS_VERY_BAD_AND_PRODUCE:pOSITIVES-FALSES"

    Directories created:


    "C:\Symantec"
    "C:\KasperskyLabs"
    "C:\PandaSoftware"
    "C:\TrendMicro"
    "C:\Eset-Nod-fucked"

    Next the trojan creates a text file named CLRAV_Report.log that has the following contents:


    "Due an error, Code error:3212552, CLRAV has not disinfect your computer"
    "For Support please send a e-mail to support@kaspersky.com and please indicate the Code Error."

    Currently, this trojan program is reported to be "in the wild".
     
Thread Status:
Not open for further replies.