is a network worm combined with backdoor. It spreads over local and global network by using NETBIOS services. The worm about 28 kilobytes long. The worm installs itself to Windows directory under the name scrsvr.exe and adds the following key into the registry:

The worm then deletes the file in which it arrived on the computer. The worm scans networks by using port 137 (NETBIOS Name Service) to locate possible victim computers. The following subnets are scanned:
- current (infected) computer subnet (
- two neighbor subnets ( ,
- random selected subnets (except several ones that are forbidden for scanning)

If it gets any reply from any IP address, the worm also scans two subnets that are neighbor to that address. If the responding computer has the File and Print Sharing service enabled, the worm tries to infect it. It established connection with the remote computer. If the resource is protected by a password the worm tries to open it with all one-character passwords. If succesfull, it send the EXE file to a remote computer to the WINDOWS\scrsvr.exe file. Then the worm reads the remote WINDOWS\win.ini file adds the run command to it and sends it back. On next Windows restart the worm's copy is activated.

Windows NT/2000/XP computers are not vulnerable to this attack, opposite to Windows 9x/Me computers. Also, the virus uses the very old security exploit in Windows 9x/Me - it is able to get the access to the shared disks which are protected by passwords longer than one character on computers which are not patched. See Microsoft Security Bulletin 072 for details.

The backdoor part of this worm tries to connect to and to download the updated version of itself. This web site is currently down however.

It can also cause printing of garbage on the network printers.

- disable file sharing or protect the shared drives/folders/files with safe password
- delete infected EXE file
- remove worm's run commands from WIN.INI file and system registry

Some variants are packed with UPX (24064 bytes long) and use different filenames: first variant installs itself as BRASIL.PIF and second as BRASIL.EXE.

Any avast! with VPS file dated on or after 1st October 2002 is able to detect this worm.

Refer: Avast

Copyright © 2004-2004 All rights reserved.
Valid HTML 4.01! Click here to validate current page. Best viewed with ANY browser! Valid CSS! Click here to validate current CSS.