Win32.Enemany.A.intended/B/C/D@mm

( W32.Enemany.A.int )

SYMPTOMS:

For variants A and B:

C:\WINDOWS\SYSTEM\Ati.scr

C:\WINDOWS\Xerox-Update.Exe

C:\WINDOWS\Start Menu\Programs\StartUp\WinUpdate.exe

For variant C

C:\WINDOWS\SYSTEM\Edonkey.scr

C:\WINDOWS\Esel_Update.Exe

For variant D

C:\WINDOWS\SYSTEM\Aspi32.scr

C:\WINDOWS\teuro.Exe

The following message when is executed (for variants A and B):

TECHNICAL DESCRIPTION:

This is a virus which works under Windows, and is using Microsoft Outlook to propagate. The worm is written in Visual Basic 6 and is packed with UPX. Its size is about 9-10 Kbytes (packed) and unpacked is about 20 Kbytes.

The virus spreads by sending itself as an attached file in an email to every person in the Microsoft Outlook Address Book. However, the first variant does not work properly so the virus fails to attach to infected e-mails (that is why it is called Intended). This error is corrected in variant B.

The format of the infected emails is the same for each version:

Variant A

Attachement: has no attached file.

Variant B

Attachment: Xerox-Update.Exe

Variant C

Attachment: Esel_Update.Exe

Variant D

Attachment: teuro.Exe

The first two variants drops the file WinUpdate.Exe in the StartUp directory so they will be executed at every Windows session. The virus will copy itself in the victim's computer only if the Windows is installed in directory C:\Windows (default for 95/98/Me/XP).

Removal instructions:

1. If you don't have BitDefender installed click here to download an evaluation version;


2. Make sure that you have the latest updates using BitDefender Live!;


3. Perform a full scan of your system (selecting, from the Action tab, the option Prompt user for action). Choose to delete all the files infected with Enemany.

ANALYZED BY:

Costin Ionescu BitDefender Virus Researcher