Worm_recory.a

GoneShootin

Masquerading as a Virus Fix Tool - WORM_RECORY.A (Low Risk)
WORM_RECORY.A is a highly encrypted, memory-resident worm that arrives as an email attachment with a random subject line, but a fixed message body. This worm overwrites the system file, Jdbgmgr.exe, and disguises itself as a virus fix tool from a known antivirus vendor. Upon execution, it drops copies of itself as the following:


%Windows%\Autotest.com
%Windows%\Jdbgmgr.exe
%Windows%\Windows Startup.pif
%Windows%\Uninstall32.pif
%Windows%\Security.pif
%Windows%\Compile32.pif
%Windows%\Startwin.com
%Windows%\Winboot32.com
%System%\Msdos32.pif
%System%\Autoexec32.bat
%System%\Cleanvir.pif
%System%\Jdbgmgr.exe
%Temp%\Jdbgmgr.exe


The dropped copy, Jdbgmgr.exe, overwrites the system file of the same name in the Windows system directory.

This worm drops another copy of itself in the StartUp folder as Systray.pif. This copy executes every time Windows starts. In addition to dropping a copy of itself in the StartUp folder, it also creates an entry in the registry Run key so that it executes at every Windows startup.

This worm uses Microsoft Outlook to send copies of itself to all addresses listed in all distribution lists of the Microsoft Outlook address book. It sends email with the following details:

Subject: <randomly chosen from any of the following>
Microsoft Support
Fwd: Computer Virus fix Tool
Fwd: Computer Virus Alert
Fwd: Latest News
Fw: Important
Fwd: Latest Computer Virus outbreak
Fwd: Damaged Software information
Fwd: Urgent inforation
Email Security Update
Fw: Serious Alert
From helpdesk support
Fw: Read this
Free support
Technical support
Fw: Client support
Security update
Software patch
Microsoft news
Fwd: Software alert
Important information
Fwd: Help on Computer issue
Fw: High-threat computer virus fix
Fwd: Computer issues
Fwd: Severe virus alert
Software support
Fw: Attention users
Fwd: Email virus alert
High-risk computer virus removal
Fwd: Attention employees

Message Body:
Hello readers,
I have just cleaned my computer from a highly damaging computer virus Which is spreading rapidly through computer networks worldwide.

There is one way to check to see if your computer is infected with this virus.

Click the "Start" menu at the bottom left of your screen.
Click the "Find" or "Search" button.
Click the "Files or folders..." option.
Then once the search application starts, type "Jdbgmgr.exe"

If you have found this file, right-click on it and click the "Properties" tab. If the Properties menu has a picture of a bear on it, your computer is infected with this virus. (Note that the non-infected file picture has a hammer and a screwdriver shown in it). You may delete this file, but this is not the only file that the virus infects, To remove this virus, I have included a virus removal tool in the attachments "" that will scan all system files and remove any infectious code from them. This virus removal tool is very easy to use. If you have any trouble with this tool, read the help menu that the removal tool supplies. If your computer is infected with this virus, It is strongly recommended that you send this removal tool to as many people as you can to help remove the traces of this virus worldwide.
Attachment: <randomly chosen from any of the following>
Fixvir.exe
Fixtool.exe
Remove32.com
Virusremove.pif
Cleanvir.pif
Recovery.exe
Scan32.pif
Cleaner.pif
Cleanvirus.com
Removal.exe
Deletevir.com
Scanvir.pif
Killvirus.com
Killvir.com
Virusfix.exe
Fixvirus.com
Fixvir.pif

This worm drops copies of itself in shared folders of ICQ and Kazaa, making it easily accessible for other users to download.