For Home

Virus Profile: W32/PetLil@MM

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 6/2/2002
Date Added: 6/3/2002
Origin: Unknown
Length: 37,376 bytes
Type: Virus
Subtype: E-mail worm
DAT Required: 4207
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

Existence of C:\XXXPic.exe.

Methods of Infection

This worm arrives as an email attachment. Manually executing this attachment causes the worm to send itself to all users in the Microsoft Outlook Address book using the MAPI protocol.

Aliases

WORM_GORUM.A (Trend)
   

Virus Characteristics

This threat is detected as New Worm with the 4150 DATs, or newer, when running with program heuristics enabled. The 4207 will detect this as W32/PetLil@MM.

When ran, if it is the 1st, 15th, 31st of the month. The worm will display a picture of a half-naked woman. On any other day, it will display a message box:

All addresses found in the Microsoft Outlook Address book are sent a message with the following information:

Subject: XXX Picture...
Body: A pretty girl waits for you. Click on attached file...

Attachment: XXXPic.exe

The worm copies itself to C:\XXXPic.exe. It also searches the Windows, Windows system, and My Documents directories for files with the extension .vbs, .htm, .doc, .xls, .bmp, .gif, .jpg, .pdf, or .js. If any files are found, it copies itself as the filename with an .exe extension. It adds a registry key entry for every file dropped:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

But in some particular cases, the following steps need to be taken.

Please go to the Microsoft Recovery Console and restore a clean MBR.

On Windows XP:

  • Insert the Windows XP CD into the CD-ROM drive and restart the computer.
  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
  • Select the Windows installation that is compromised and provide the administrator password.
  • Issue 'fixmbr' command to restore the Master Boot Record
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

  • Insert the Windows CD into the CD-ROM drive and restart the computer.
  • Click on "Repair Your Computer".
  • When the System Recovery Options dialog comes up, choose the Command Prompt.
  • Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.