For Consumer

Virus Profile: VBS/Carewmr.A

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 10/22/2002
Date Added: 10/22/2002
Origin: Unknown
Length: 3,292
Type: Trojan
Subtype: VbScript
DAT Required: 4188
Removal Instructions
   
 
 
   

Description

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Indication of Infection

The presence of the above message, files and directories.

Methods of Infection

Executing the VBScript file.

Aliases

Trojan.VBS.Carewmr, VBS.AVFake (NAV)
   

Virus Characteristics

This threat is detected as VBS/Ardin. On executing the script, the following messages are displayed:

Welcome to CLRAV of Kaspersky Labs, press OK or Accept to Start scanning your computer

ERROR!, Code error:3212552, please execute this tool in MS-DOS.

Thank You for prefer Kaspersky Labs Products

If the date is September 1st, the following message will be displayed:

Mr.Carew vuelve otra vez!!,jaja

The trojan then opens the default internet browser to http:\\www.avp.ru. The following registry keys will be deleted:
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\SystemTray
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\AVPCC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\NAVW32
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\TrueVector
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ZoneAlarm Pro
The following 0 byte files will be created:
  • C:\Norton2003isbad_preferKAVORAVP
  • C:\AVP
  • C:\NAV
  • C:\CHILE
  • C:\TEMUCO
  • C:\MCAFEE
  • C:\ENTELPCS
  • C:\GSM1900MHZ
  • C:\SONYERICSSON
  • C:\CAREFULLY_WHIT_ME
  • C:\YOUR_PC_IS_VERY_BAD
  • C:\I HATE MELINA
  • C:\VBS.CarewMR.a
  • C:\Windows is a real virus?
  • C:\MELINA_TE_ODIO_MUERETE!
  • C:\WindowsXP
  • C:\Windows3.11
  • C:\Windows98SE
  • C:\WindowsME
  • C:\Windows 95
  • C:\WindowsNT
  • C:\Windows2000
  • C:\TELLCELL S.A
  • C:\PORN
  • C:\ORAL_SEX
  • C:\BIN_LADEN_F**KYOU
  • C:\ICQ
  • C:\PANDA
  • C:\NOD32
  • C:\TREND
  • C:\PC-CILLIN
  • C:\AvpM.exe
  • C:\Kaspersky_AntiVirus_PersonalPRO_THEBEST!!!!!
  • C:\Norton_thePOOR
  • C:\Madonna_Sucking_my_****.avi
  • C:\Your_system_is_infected_by_a_virus_jajajajajajaja.jajajaja
  • C:\THE_HEURISTIC_OF_NORTON_IS_VERY_BAD_AND_PRODUCE:POSITIVES-FALSES
The following folders will be created:
  • C:\Symantec
  • C:\KasperskyLabs
  • C:\PandaSoftware
  • C:\TrendMicro
  • C:\Eset-Nod-f**ked
The trojan will delete the "C:\Windows" directory. The file CLRAV_Report.log will also be created with the following text:
"Due an error, Code error:3212552, CLRAV has not disinfect your computer For Support please send a e-mail to support@kaspersky.com and please indicate the Code Error."
   
Use specified engine and DAT files for detection and removal. Delete any file which contains this detection. Delete any folders created by this threat.