This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
4176 (2001-12-12)Updated DAT
This mass-mailing worm sends itself to all recipients found in the Outlook Address book and creates a VBScript which saves many copies of itself to all local and mapped network drives. As the worm sends itself using both the TO: and BCC: fields, recipients are likely to receive the virus in pairs. It arrives in an email message with the following information:
The subject is derived by randomly combining several strings. There are 4 groupings of these strings and one group, or phrase, is chosen from each in succession:
Group1 = "Have you ", "You Should ", "Just ", "Why Not you ", "How to ", "Re: ", "Fwd : "
Group2 = "Check ", "Check out", "Watch out ", "Open ", "Look at "
Group3 = "this ", "my ", "For this ", "The ", "Subject ", "Picture ", "Program "
Group4 = "Report", "Documment", "Quotation", "Transaction", "Bank Account", "WTC Tragedy", "Osama Vs Bush", "Account", "Private Pic"
For example: Just Watch out For this Documment or You Should Watch out The Private Pic
This is the file you ask for, Please save it to disk and open this file,
it's very important.
or Attachment: install.exe
or Attachment: Readme.exe
or Attachment: Files.exe
or Attachment: Picture.exe
or Attachment: Quotation.Doc.exe
or Attachment: Letter.Doc.exe
or Attachment: Picture.jpg.exe
Clicking on the attachment infects your machine. The worm sends itself using MAPI to all recipients in the Microsoft Outlook Address book. It saves a copy of itself to the WINDOWS directory as UPDATE.EXE and creates a registry run key to load itself at startup:
A fake error message is displayed:
A VBScript file is written to C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\Update.vbs which will run upon restart under Win9x/ME. This script file simply seeks out all DOC, EXE, and TXT files on local and mapped network drives. It does not alter these files, but rather it saves a copy of the VBS file in the same directory as those files found, using the same file name but adding VBS to the end.
On the 12th day of the month, the VBScript will display a message box:
This worm arrives as an email attachment. Clicking on this attachment causes the virus to mail itself to all recipients found in your Outlook Address book.
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
But in some particular cases, the following steps need to be taken.
Please go to the Microsoft Recovery Console and restore a clean MBR.
On Windows XP:
On Windows Vista and 7: