McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Business Home McAfee Labs Threat Intelligence

W32/Cream.a

This page shows details and results of our analysis on the malware W32/Cream.a

Threat Detail

Malware Type: Virus

Malware Sub-type: File Infector

Discovery Date: 2007-08-03

Next Steps:

Overview

The W32/Cream is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further.


Minimum DAT

5090 (2007-08-03)

Updated DAT

5150 (2007-10-26)

 Minimum Engine

4.4.00

File Length

N/A

 Description Added

2007-08-03

Description Modified

2007-09-18

Malware Proliferation

Characteristics

W32/Cream is a file infector. The virus places several hooks in the victim file code and will take control of the execution flows when these hooks are reached. Therefore the virus code is not directly executed when an infected file is run, but it may be executed only by performing specific actions. For example on an observed sample the virus code was executed when opening the "About" dialog box.

In this case the virus had modified the "About" messagebox to display a slightly different message.

Upond showing the above box a tune was played.

No other malicious activity was observed.

Symptoms

Infected files will have their size increased.

Upon performing specific action on some infected file, the virus may start playing a tune.

Method of Infection

The only way to infect a computer with a file infecting virus is to execute an infected file on the computer. The infected file may come from a multitude of sources including: floppy diskettes, downloads through an online service, network, etc. Once the infected file is executed, the virus may activate.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

But in some particular cases, the following steps need to be taken.

Please go to the Microsoft Recovery Console and restore a clean MBR.

On Windows XP:

  • Insert the Windows XP CD into the CD-ROM drive and restart the computer.
  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
  • Select the Windows installation that is compromised and provide the administrator password.
  • Issue 'fixmbr' command to restore the Master Boot Record
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

  • Insert the Windows CD into the CD-ROM drive and restart the computer.
  • Click on "Repair Your Computer".
  • When the System Recovery Options dialog comes up, choose the Command Prompt.
  • Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.

Variants

United States - English