Name: W32/Bajar-B Aliases: W32.ZVM@mm, VBS.ZVM@mm, VBS.Bajar.B@mm Type: Win32 worm Date: 4 July 2002 At the time of writing Sophos has received no reports from users affected by this worm. However, we have issued this advisory following enquiries to our support department from customers. Note: This IDE file detects W32/Bajar-B and W32/Bajar-A More information about W32/Bajar-B can be found at http://www.sophos.com/virusinfo/analyses/w32bajarb.html
W32/Bajar-B is a mass mailing worm that emails itself to all entries in all Windows address books. It arrives in an email with the following characteristics: Subject line: Nuevo programa para bajar musica gratis Message body: con este programa vas a poder bajar cualquier tipo de musica las mejores canciones The attached filename can be anything. On execution W32/Bajar-B displays a message box containing the text "Instalando ZVmusic". The worm checks the registry entry HKCU\Software\mp3_sent and if it is not set to "yea" then it makes it so and executes its mass mailing routine. Finally W32/Bajar-B deletes: C:\windows\rundll.exe C:\windows\system\vshield.vxd C:\autoexec.bat C:\windows\regedit.exe C:\windows\regedit.com