McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Business Home McAfee Labs Threat Intelligence

W32/Neroma.a@MM

This page shows details and results of our analysis on the malware W32/Neroma.a@MM

Threat Detail

Malware Type: Virus

Malware Sub-type: Internet Worm

Discovery Date: 2003-09-03

Next Steps:

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.


Minimum DAT

4253 (2003-03-19)

Updated DAT

4253 (2003-03-19)

 Minimum Engine

5.1.00

File Length

5,632 bytes (UPXed)

 Description Added

2003-09-04

Description Modified

2003-09-04

Malware Proliferation

Characteristics

-- Update September 4, 2003 --
This threat was updated to a Low-Profiled risk due to media attention with ComputerWorld's article: First of perhaps many 9/11 viruses ermerges .

This Visual Basic worm propagates via mailing itself to recipients in the Outlook Address book (using Outlook to construct and send messages).

Proactive detection: Products running the 4.2.40 engine with the 4253 DATs or greater detect this threat as "virus or variant W32/Generic.a@MM" (with scanning of compressed files enabled).

This will be detected exactly as W32/Generic.a@MM with the 4292 DATs and higher.

Mail Characteristics

The virus is likely to be received in an email bearing the following characteristics:

Subject:   It's Near 911!
Attachment:   Nerosys.exe ("911.jpg" label is used)
Body:   Nice butt baby!

For example:

When executed, the worm installs itself as:

%WinDir%\NEROSYS.EXE

System startup is hooked via the following Registry key (NT/2k):

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\
CurrentVersion\Winlogon = Explorer.exe nerosys.exe

Or via the SYSTEM.INI system file (9x):

[boot]
"shell" = Explorer.exe nerosys.exe

Symptoms

Existence of the files and Registry keys detailed above.

Method of Infection

This worm spreads via mailing itself (using Outlook) to recipients listed in the Outlook address book.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

But in some particular cases, the following steps need to be taken.

Please go to the Microsoft Recovery Console and restore a clean MBR.

On Windows XP:

  • Insert the Windows XP CD into the CD-ROM drive and restart the computer.
  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
  • Select the Windows installation that is compromised and provide the administrator password.
  • Issue 'fixmbr' command to restore the Master Boot Record
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

  • Insert the Windows CD into the CD-ROM drive and restart the computer.
  • Click on "Repair Your Computer".
  • When the System Recovery Options dialog comes up, choose the Command Prompt.
  • Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.

Variants

United States - English