For Home

Virus Profile: W32/Neroma.a@MM

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low-Profiled | Corporate Low-Profiled
Date Discovered: 9/3/2003
Date Added: 9/4/2003
Origin: Unknown
Length: 5,632 bytes (UPXed)
Type: Virus
Subtype: Internet Worm
DAT Required: 4253
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

Existence of the files and Registry keys detailed above.

Methods of Infection

This worm spreads via mailing itself (using Outlook) to recipients listed in the Outlook address book.

Aliases

W32.Neroma@MM (NAV), Worm.Win32.Maro.5632 (Hauri)
   

Virus Characteristics

-- Update September 4, 2003 --
This threat was updated to a Low-Profiled risk due to media attention with ComputerWorld's article: First of perhaps many 9/11 viruses ermerges .

This Visual Basic worm propagates via mailing itself to recipients in the Outlook Address book (using Outlook to construct and send messages).

Proactive detection: Products running the 4.2.40 engine with the 4253 DATs or greater detect this threat as "virus or variant W32/Generic.a@MM" (with scanning of compressed files enabled).

This will be detected exactly as W32/Generic.a@MM with the 4292 DATs and higher.

Mail Characteristics

The virus is likely to be received in an email bearing the following characteristics:

Subject:   It's Near 911!
Attachment:   Nerosys.exe ("911.jpg" label is used)
Body:   Nice butt baby!

For example:

When executed, the worm installs itself as:

%WinDir%\NEROSYS.EXE

System startup is hooked via the following Registry key (NT/2k):

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\
CurrentVersion\Winlogon = Explorer.exe nerosys.exe

Or via the SYSTEM.INI system file (9x):

[boot]
"shell" = Explorer.exe nerosys.exe

   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

But in some particular cases, the following steps need to be taken.

Please go to the Microsoft Recovery Console and restore a clean MBR.

On Windows XP:

  • Insert the Windows XP CD into the CD-ROM drive and restart the computer.
  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
  • Select the Windows installation that is compromised and provide the administrator password.
  • Issue 'fixmbr' command to restore the Master Boot Record
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

  • Insert the Windows CD into the CD-ROM drive and restart the computer.
  • Click on "Repair Your Computer".
  • When the System Recovery Options dialog comes up, choose the Command Prompt.
  • Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.