Discussion in 'malware problems & news' started by Randy_Bell, Jan 21, 2003.

Thread Status:
Not open for further replies.
  1. Randy_Bell

    Randy_Bell Registered Member

    May 24, 2002
    Santa Clara, CA
    Symantec Security Response - W32.Buffy.D

    W32.Buffy.D is a worm that uses mIRC to spread. When the worm runs, it copies itself as C:\BTVS.exe. It also drops C:\Mirc\Script.ini, which is detected as IRC.Family.Gen by Symantec AntiVirus products. Finally, the worm drops C:\Windows\Winstart.bat and C:\Windows\Start Menu\Programs\Startup\Start.vbs, but they are not malicious.

    Also Known As: I-WORM.Buffy.d [KAV]
    Type: Worm
    Infection Length: 163,904 bytes
    Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
    Systems Not Affected: Macintosh, OS/2, UNIX, Linux

    technical details

    No additional information available at this time. Symantec Security Response will update this write-up if/when more information is available.

    removal instructions

    The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

    • 1. Update the virus definitions.
      2. Run a full system scan, and delete all the files detected as W32.Buffy.D or IRC.Family.Gen.
      3. Delete the following files:
      • C:\Windows\Winstart.bat
      • C:\Windows\Start Menu\Programs\Startup\Start.vbs.
Thread Status:
Not open for further replies.