MS C# virus

Discussion in 'malware problems & news' started by javacool, Mar 1, 2002.

Thread Status:
Not open for further replies.
  1. javacool

    javacool BrightFort Moderator

    Feb 10, 2002

    Catch the article here:
  2. javacool

    javacool BrightFort Moderator

    Feb 10, 2002
    Full report from

    Link to article:
  3. FanJ

    FanJ Guest


    Name: W32/Sharp-A
    Aliases: W32/Sharpie@mm
    Type: Win32 executable file virus
    Date: 4 March 2002

    At the time of writing Sophos has received no reports from users affected by this virus. However, we have issued this advisory following enquiries to our support department from customers.


    W32/Sharp-A is a virus that arrives in an email message with the following characteristics:

    Subject: Important: Windows update
    Message body: Hey, at work we are applying this update because it makes Windows over 50% faster and more secure. I thought I should forward it as you may like it.
    Attachment: MS02-010.EXE

    When W32/Sharp-A is executed it copies itself to C:\MS02-010.EXE
    and drops and executes sharp.vbs in the current directory. This file is detected as VBS/Sharp-A. The script sends the email described above to everyone in the Outlook address book.

    If the virus detects the Microsoft .NET runtime, it drops and executes the file cs.exe in the Windows directory. This file infects .EXE files with W32/Sharp-A and creates the file sharp.vbs in the Windows startup folder. This file merely displays a message box with the title "Sharp" and the text

    "You're infected with Win32.HLLP.Sharp, written in C#, by Gigabyte/Metaphase"

    The virus also creates the registry key HKLM/Software/Sharp
    which contains the name of the viral file which was run.

    Read the analysis at
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.