WORM_RECORY.A is a highly encrypted, memory-resident worm that arrives as an email attachment with a random subject line, but a fixed message body. This worm overwrites the system file, Jdbgmgr.exe, and disguises itself as a virus fix tool from a known antivirus vendor. Upon execution, it drops copies of itself as the following: %Windows%\Autotest.com %Windows%\Jdbgmgr.exe %Windows%\Windows Startup.pif %Windows%\Uninstall32.pif %Windows%\Security.pif %Windows%\Compile32.pif %Windows%\Startwin.com %Windows%\Winboot32.com %System%\Msdos32.pif %System%\Autoexec32.bat %System%\Cleanvir.pif %System%\Jdbgmgr.exe %Temp%\Jdbgmgr.exe The dropped copy, Jdbgmgr.exe, overwrites the system file of the same name in the Windows system directory. This worm drops another copy of itself in the StartUp folder as Systray.pif. This copy executes every time Windows starts. In addition to dropping a copy of itself in the StartUp folder, it also creates an entry in the registry Run key so that it executes at every Windows startup. This worm uses Microsoft Outlook to send copies of itself to all addresses listed in all distribution lists of the Microsoft Outlook address book. It sends email with the following details: Subject: <randomly chosen from any of the following> Microsoft Support Fwd: Computer Virus fix Tool Fwd: Computer Virus Alert Fwd: Latest News Fw: Important Fwd: Latest Computer Virus outbreak Fwd: Damaged Software information Fwd: Urgent inforation Email Security Update Fw: Serious Alert From helpdesk support Fw: Read this Free support Technical support Fw: Client support Security update Software patch Microsoft news Fwd: Software alert Important information Fwd: Help on Computer issue Fw: High-threat computer virus fix Fwd: Computer issues Fwd: Severe virus alert Software support Fw: Attention users Fwd: Email virus alert High-risk computer virus removal Fwd: Attention employees Message Body: Hello readers, I have just cleaned my computer from a highly damaging computer virus Which is spreading rapidly through computer networks worldwide. There is one way to check to see if your computer is infected with this virus. Click the "Start" menu at the bottom left of your screen. Click the "Find" or "Search" button. Click the "Files or folders..." option. Then once the search application starts, type "Jdbgmgr.exe" If you have found this file, right-click on it and click the "Properties" tab. If the Properties menu has a picture of a bear on it, your computer is infected with this virus. (Note that the non-infected file picture has a hammer and a screwdriver shown in it). You may delete this file, but this is not the only file that the virus infects, To remove this virus, I have included a virus removal tool in the attachments "" that will scan all system files and remove any infectious code from them. This virus removal tool is very easy to use. If you have any trouble with this tool, read the help menu that the removal tool supplies. If your computer is infected with this virus, It is strongly recommended that you send this removal tool to as many people as you can to help remove the traces of this virus worldwide. Attachment: <randomly chosen from any of the following> Fixvir.exe Fixtool.exe Remove32.com Virusremove.pif Cleanvir.pif Recovery.exe Scan32.pif Cleaner.pif Cleanvirus.com Removal.exe Deletevir.com Scanvir.pif Killvirus.com Killvir.com Virusfix.exe Fixvirus.com Fixvir.pif This worm drops copies of itself in shared folders of ICQ and Kazaa, making it easily accessible for other users to download. If you would like to scan your computer for WORM_RECORY.A or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com WORM_RECORY.A is detected and cleaned by Trend Micro pattern file #422 and above.