Name: W32/Cervivec-A Type: Win32 worm Date: 25 March 2002 At the time of writing Sophos has received just one report of this worm from the wild. Description: W32/Cervivec-A is an email worm. It will arrive in an email with the following characteristics: Subject line - randomly chosen from: Vtip Witz blague Joke Zart Chiste Message body - randomly chosen from: Cau posilam ti cerviky tak se na to podivej (virus to neni) Cau posielam ti cerviky tak sa na to pozri (virus to neni) Hallo, Ich habe ein guter Witz-Wurm so sieh! (kein virus) J'ai une bonne blague ca s'appelle verre de terre alors jette un coup d'oeil (il n'y a pas de virus) Hi, I have some cool joke - worms so have a look at it (no virus) Czesc, mam swietnz dowcip - robaka. Obejrzyj go sobie (to nie jest wirus) Hola te mando los gusanilloes. Pues mirarlos (no es un virus) Attached file: worms.zip The zip file contains the worm executable. When run it will display a message box with the text 'Press restart button to close this application'. When the user clicks 'Ok' colourful worm patterns are drawn all over the screen obliterating the contents. The worm is copied to <windows directory>\system32\ntkrnl.exe. The registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Kernel Loader is set to run the worm from this location with the added parameter '-LOADDRIVERS=TRUE'. When Windows is restarted the worm will email itself to people in the ICQ contact list. Read the analysis at http://www.sophos.com/virusinfo/analyses/w32cerviveca.html