McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

This mass-mailing worm arrives as an email attachment in a message. During our tests, we couldn't observe the massmailing process.

However, we received reports that this worm was attached to email in a ZIP archive named PRICE_09.ZIP, the file within the ZIP archive was named PRICE.EXE.

After execution, the worm drops two files into the %windir%\system32 folder:

• winshost.exe (35,554 bytes)
• wiwshost.exe (8,660 bytes)

and creates a key in the registry, causing the worm to get executed each time on boot:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Run "winshost.exe"

Symptoms

• existance of files and registry keys as mentioned above.
• empty NOTEPAD.EXE popping up after executing the attachment.

Method of Infection

• This worm arrives via email. It does not use any exploits in order to get executed without user interaction.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

This mass-mailing worm arrives as an email attachment in a message. During our tests, we couldn't observe the massmailing process.

However, we received reports that this worm was attached to email in a ZIP archive named PRICE_09.ZIP, the file within the ZIP archive was named PRICE.EXE.

After execution, the worm drops two files into the %windir%\system32 folder:

• winshost.exe (35,554 bytes)
• wiwshost.exe (8,660 bytes)

and creates a key in the registry, causing the worm to get executed each time on boot:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Run "winshost.exe"

Symptoms

Symptoms -

• existance of files and registry keys as mentioned above.
• empty NOTEPAD.EXE popping up after executing the attachment.

Method of Infection

Method of Infection -

• This worm arrives via email. It does not use any exploits in order to get executed without user interaction.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A