W32/Cailont-A

Discussion in 'malware problems & news' started by FanJ, Apr 29, 2003.

Thread Status:
Not open for further replies.
  1. FanJ

    FanJ Guest

    W32/Cailont-A
    Aliases : Nolor
    Type : Win32 worm

    Description
    W32/Cailont-A is an internet worm which sends itself out by email.

    W32/Cailont-A creates seven files in your system folder. The files explorer.exe, kernel32.exe, netdll.dll and serscg.dll are copies of the worm. The file setup.htm is a web page containing a Visual Basic Script which creates and launches the worm (this identity detects this file as VBS/Cailont-A). The files Netsn.dll and Bsbk.dll are raw base64-encoded copies of the worm and script files (these files are harmless on their own and can be deleted).

    W32/Cailont-A adds the value:

    explorer = "\SYSTEM\FOLDER\explorer.exe"

    to the registry key:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    This means that the worm will run automatically every time you start your computer.

    W32/Cailont-A sends emails with the following characteristics:

    Read more:
    http://www.sophos.com/virusinfo/analyses/w32cailonta.html
     
Thread Status:
Not open for further replies.