Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » VBS/CoolNot@mm

Overview

Threat Risk LOW LOW
Destructivity NONE NONE
Payload
Detection files published 29 May 2000 03:00:00
Description created 15 Oct 2000 03:00:00
Description updated 26 Nov 2002 04:10:00
Malware type WORM
Alias
Spreading mechanism EMAIL
IRC
Summary None

VBS/CoolNot@mm

Spreading

This worm copies itself to the Windows' system folder as COOL_NOTEPAD_DEMO.TXT.vbs and modify the Registry to execute this file each time Windows is started. Then it modifies Registry to hide the Desktop after Windows is restarted.After this the worm performs a check to see if mIRC is installed at the infected system. If mIRC is installed, the worm will overwrite mirc.ini if mIRC is installed to c:\mirc. The new mirc.ini will send the infected file, COOL_NOTEPAD_DEMO.TXT.vbs, to all users who join the same channel as the infected user, and also send a short message to the #virus channel. The message is: "Cool Notepad Demo".The worm uses MS Outlook to send itself to all entries in all address books.

Payload Details

n/a

Analysis

n/a

Removal

To restore your desktop you need to change the following Registry key:   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoDesktop"=dword:00000000


Last Updated: 12 Nov 2015 11:06:11