Quotes from today's BOClean update notification: WORM DU JOUR: CISSI (mass mailer) Arrives with one of the following titles: Heres a poem for you Ive written a poem for you Love poems for you Look what i wrote for you Poems for you Comes with attachments: LovePoem.pif Poem_collection.pif Zipped_poems.exe My Poems.txt.exe Poems.pif Sad Stories and Poems.pif My Story.pif The Poems.pif Poems for you.pif Only Poems.txt.pif copies existing files of the following extensions to %SYSTEMDIR%\ST folder created by the worm, but does not delete the originals: .htt, .rtf, .doc, .xls, .ini, .mdb, .txt, .htm, .html, .wab, .pst, .fdb, .cfg, .ldb, .eml, .abc, .ldif, .nab, .adp, .mdw, .mda, .mde, .ade, .sln, .dsw, .dsp, .vap, .php, . sp, .shtml Startup: shell= line in SYSTEM.INI file
Thanks FanJ, This one is very active: Detected as Win32/Duster.B worm after the last update. Yesterday it was CISSI.zip - probably unknown NewHeur_PE virus - deleted Regards, Pieter
