For Home

Virus Profile: W32/Neroma.b@MM

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 9/5/2003
Date Added: 9/8/2003
Origin: Unknown
Length: 5,120 bytes (UPXed)
Type: Virus
Subtype: E-mail worm
DAT Required: 4253
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

Existence of the files and Registry keys detailed above.

Methods of Infection

This worm spreads via mailing itself (using Outlook) to recipients listed in the Outlook address book.

Aliases

W32.Neroma.B@MM (NAV)
   

Virus Characteristics

This variant bears close similarities to W32/Neroma.a@MM .

Proactive detection: Products running the 4.2.40 engine with the 4253 DATs or greater detect this threat as "virus or variant W32/Generic.a@MM" (with scanning of compressed files enabled).

This will be detected exactly as W32/Generic.a@MM with the 4292 DATs and higher.

Mail Characteristics

The virus is likely to be received in an email bearing the following characteristics:

Subject:    Time to 911!
Attachment:   original filename - likely NRS.EXE ("119.gif" label is used)
Body:   Hi, Nice butt!

For example:

When executed, the worm installs itself as:

%WinDir%\NRS.EXE

System startup is hooked via the following Registry key (NT/2k):

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\
CurrentVersion\Winlogon = Explorer.exe nrs.exe

Or via the SYSTEM.INI system file (9x):

[boot]
"shell" = Explorer.exe nrs.exe

   

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations