Virus Profile: W32/Urick@MM

Threat Search
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 7/22/2002
Date Added: 8/6/2002
Origin: Unknown
Length: 9,216 bytes
Type: Virus
Subtype: E-mail worm
DAT Required: 4216
Removal Instructions


This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

If the day of the month is 5,10,15,20,25, or 30 a payload is activated that displays an unclosable message box:

The START BUTTON on the taskbar is grayed out and unclickable. However, the keyboard shortcuts (CTRL - ESC, or the WINDOWS key) still work. A registry key value is also modified that prevents WINDOWS from shutting down properly.
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Explorer\Shutdown Setting=2
When attempting to shutdown Windows a message box is displayed:

Methods of Infection

This worm spreads via email, mass-mailing itself to users found in the Microsoft Outlook address book.


I-Worm.Urick (AVP), W32.Urick.A@mm (Symantec), WORM_URICK.A (Trend)

Virus Characteristics

AVERT has yet to receive a field sample of this threat. This worm arrives in an email message containing the following information:

Subject: A Windows Trick
Body: This is a cool Windows Trick. Microsoft has not developed a patch for this because they do not want to.
Execute the file attached to learn more of this Windows Trick.
If it did not work, use a Linux system instead.
The Microsoft Support Team.

Attachment: [varies - name of the file as run by the infected user].exe

When the attachment is run, the worm copies itself to the My Documents folder as attachment filename.exe and to the WINDOWS SYSTEM folder as attachment filename.jpg.exe. A registry run key is created to load the worm at startup:
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run\filename=%My Documents%\filename.exe
The worm attempts to send itself to all users found in the Microsoft Outlook address book using MAPI messaging.

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

But in some particular cases, the following steps need to be taken.

Please go to the Microsoft Recovery Console and restore a clean MBR.

On Windows XP:

  • Insert the Windows XP CD into the CD-ROM drive and restart the computer.
  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
  • Select the Windows installation that is compromised and provide the administrator password.
  • Issue 'fixmbr' command to restore the Master Boot Record
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.

On Windows Vista and 7:

  • Insert the Windows CD into the CD-ROM drive and restart the computer.
  • Click on "Repair Your Computer".
  • When the System Recovery Options dialog comes up, choose the Command Prompt.
  • Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.

PC Infected? Get Expert Help

Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!