Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Carewmr


Aliases:


Carewmr
VBS/Carewmr, VBS.AVFake

Malware
Trojan
VBS

Summary

VBS/Carewmr is a trojan written with Visual Basic Script. Upon execution the trojan displays three messages.



Disinfection & Removal

Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details

This a simple trojan that, when executed, will show following three messages:

	Welcome to CLRAV of Kaspersky Labs, press OK or Accept to Start
	scanning your computer.

	ERROR!, Code error:3212552, please execute this tool in MS-DOS.

	Thank You for prefer Kaspersky Labs Products

At September 1st, it shows an additional message in Spanish:

	Mr.Carew vuelve otra vez!!, jaja

which means in English

	Mr.Carew comes back again!!, jaja

After these messsages, the trojan will open the web page http://www.avp.ru using the default browser.

Next, the trojan attemps to remove a number of registry keys, attempting to disable several security software:

	HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SystemTray
	HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AVPCC
	HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NAVW32
	HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TrueVector
	HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ZoneAlarm Pro

The trojan also creates a number of directories and empty files to the root of the C: drive using for example names of different anti-virus products. It also attempts to delete all files from the C:\Windows directory.

Finally the trojan creates a text file to the current directory "CLRAV_Report.log" with the following content:

	Due an error, Code error:3212552, CLRAV has not disinfect your
	computer For Support please send a e-mail to support@kaspersky.com
	and please indicate the Code Error.

The trojan has the following comment in the beginning:

'VBS.CarewMR.a By Jadraquer Killer (Mr.Carew)



Detection

F-Secure Anti-Virus detects this trojan with the current updates.



Technical Details: Katrin Tocheva and Sami Rautiainen; translation: Ero Carrera; F-Secure Corp.; October 22th, 2002



Submit a sample




Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)

Give And Get Advice




Give advice. Get advice. Share the knowledge on our free discussion forum.

Scan and clean your PC




F-Secure Online Scanner will scan and clean your PC in just a few minutes for free