QUICK LINKS: Solution -------------------------------------------------------------------------------- Virus type: Worm Destructive: Yes Aliases: Win32/Winevar.A, I-Worm.Winevar, W32/Korvar, W32/Winevar@mm, W32.HLLW.Winevar Pattern file needed: 397 Scan engine needed: 5.200 Overall risk rating: Low -------------------------------------------------------------------------------- Reported Infections: Low Damage Potential: High Distribution Potential: High -------------------------------------------------------------------------------- Description: This destructive Internet worm runs on all Windows platforms. It uses its own SMTP or Simple Mail Transfer Protocol engine to propagate via email. It sends email messages with random subjects to addresses listed in .HTM files and .DBX (Outlook Express Mailbox) files on the infected system. It constructs its subject title in two ways. The first subject format, which it uses once in every 3 email messages, appears in email with the following details: Subject: AVAR (Association of Anti-Virus Asia Researcher) Message Body: - Attachments: WIN.GIF (120 bytes) MUSIC_2.CEO WIN.TXT (12.6 KB) MUSIC_1.HTM The second subject format, which it uses twice out of every 3 email messages, appears in email with the following details: Subject: Message Body: - Attachments: WIN.GIF (120 bytes) MUSIC_2.CEO WIN.TXT (12.6 KB) MUSIC_1.HTM * is the registered owner of the machine and is the organization of the owner. However, at this time of writing, this worm has a bug that cannot completely decode the second email subject such that its first four generated characters are unintelligible. This is why most of the email it sends arrive with the subject format: Subject: N`4_ This worm sends email using a known exploit that causes the attachment to automatically execute when the message is viewed or previewed on Internet Explorer-based email clients, such as Microsoft Outlook and Outlook Express. This exploit is known as Automatic Execution of Embedded MIME type. The worm terminates certain monitoring programs and antivirus products and deletes all files in the local drives after execution once it finds the folder "ANTIVIRUS" on the infected system. Solution: AUTOMATIC REMOVAL INSTRUCTIONS For Users of Trend Micro Products Download the Trend Micro System Cleaner Patch to effectively remove this malware from your system using your Trend Micro product. You must replace the file TSC.EXE in your product folder with the same file contained in this download. For OfficeScan 5.02 users, the default folder is C:\OfficeScanNT. For PC-cillin 2002 users, the default folder is C:\Program Files\Trend Micro\PC-cillin 2002. For Non-users of Trend Micro Products Download and run the Trend Micro System Cleaner Package. If you have an MD5 signature checker, you may check the MD5 hash value of this tool. Trend Micro advises users to consult the readme file, readme_sysclean.txt, which contains the description and features of this package. NOTE: Non-users of Trend Micro products must download and use the latest pattern file for the TSC package to be effective. MANUAL REMOVAL INSTRUCTIONS WARNING: If you suspect that your computer is infected with WORM_WINEVAR.A, do not restart your system before completing the removal procedure. Identifying the Malware Program Before proceeding to remove this malware, first identify the malware program. Scan your system with Trend Micro antivirus and NOTE all files detected as WORM_WINEVAR.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner. Removing Autostart Entries from the Registry Removing autostart entries from registry prevents the malware from executing during startup. You will need the name(s) of the file(s) detected earlier. Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter. In the left panel, double-click the following: HKEY_LOCAL_MACHINE>Software>Microsoft> Windows>CurrentVersion>Run In the right panel, locate and delete the entry or entries whose data value (in the rightmost column) is the malware file(s) detected earlier. In the left panel, double-click the following: HKEY_LOCAL_MACHINE>Software>Microsoft> Windows>CurrentVersion>RunServices In the right panel, locate and delete the entry or entries whose data value (in the rightmost column) is the malware file(s) detected earlier. In the left panel, double-click the following: HKEY_CURRENT_USER>Software>Microsoft> Windows>CurrentVersion>Run In the right panel, locate and delete the entry or entries whose data value (the rightmost column) is the malware file(s) detected earlier. Close Registry Editor. Running Trend Micro Antivirus Scan your system with Trend Micro antivirus and delete all files detected as WORM_WINEVAR.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner. Applying Patches This malware exploits a known vulnerability in Internet Explorer 5.01 and 5.5. Download and install the security update from Microsoft. Refrain from using this product until the appropriate patch has been installed.