Discussion in 'malware problems & news' started by Randy_Bell, Jan 4, 2003.

Thread Status:
Not open for further replies.
  1. Randy_Bell

    Randy_Bell Registered Member

    May 24, 2002
    Santa Clara, CA
    WORM_RECORY.A is a highly encrypted, memory-resident worm that arrives as an email attachment with a random subject line, but a fixed message body. This worm overwrites the system file, Jdbgmgr.exe, and disguises itself as a virus fix tool from a known antivirus vendor. Upon execution, it drops copies of itself as the following:

    • %Windows%\Autotest.com
      %Windows%\Windows Startup.pif

    The dropped copy, Jdbgmgr.exe, overwrites the system file of the same name in the Windows system directory.

    This worm drops another copy of itself in the StartUp folder as Systray.pif. This copy executes every time Windows starts. In addition to dropping a copy of itself in the StartUp folder, it also creates an entry in the registry Run key so that it executes at every Windows startup.

    This worm uses Microsoft Outlook to send copies of itself to all addresses listed in all distribution lists of the Microsoft Outlook address book. It sends email with the following details:

    Subject: <randomly chosen from any of the following>

    • Microsoft Support
      Fwd: Computer Virus fix Tool
      Fwd: Computer Virus Alert
      Fwd: Latest News
      Fw: Important
      Fwd: Latest Computer Virus outbreak
      Fwd: Damaged Software information
      Fwd: Urgent inforation
      Email Security Update
      Fw: Serious Alert
      From helpdesk support
      Fw: Read this
      Free support
      Technical support
      Fw: Client support
      Security update
      Software patch
      Microsoft news
      Fwd: Software alert
      Important information
      Fwd: Help on Computer issue
      Fw: High-threat computer virus fix
      Fwd: Computer issues
      Fwd: Severe virus alert
      Software support
      Fw: Attention users
      Fwd: Email virus alert
      High-risk computer virus removal
      Fwd: Attention employees

    Message Body:

    Hello readers,
    I have just cleaned my computer from a highly damaging computer virus Which is spreading rapidly through computer networks worldwide.

    There is one way to check to see if your computer is infected with this virus.

    Click the "Start" menu at the bottom left of your screen.
    Click the "Find" or "Search" button.
    Click the "Files or folders..." option.
    Then once the search application starts, type "Jdbgmgr.exe"

    If you have found this file, right-click on it and click the "Properties" tab. If the Properties menu has a picture of a bear on it, your computer is infected with this virus. (Note that the non-infected file picture has a hammer and a screwdriver shown in it). You may delete this file, but this is not the only file that the virus infects, To remove this virus, I have included a virus removal tool in the attachments "" that will scan all system files and remove any infectious code from them. This virus removal tool is very easy to use. If you have any trouble with this tool, read the help menu that the removal tool supplies. If your computer is infected with this virus, It is strongly recommended that you send this removal tool to as many people as you can to help remove the traces of this virus worldwide.

    Attachment: <randomly chosen from any of the following>

    • Fixvir.exe

    This worm drops copies of itself in shared folders of ICQ and Kazaa, making it easily accessible for other users to download.

    If you would like to scan your computer for WORM_RECORY.A or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com

    WORM_RECORY.A is detected and cleaned by Trend Micro pattern file #422 and above.
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.