Fakerr worm appeared in the middle of July 2003. The worm spreads itself in emails. It was also created to spread through Kazaa file sharing networks, but this routine has a bug. The worm has a dangerous payload - it can delete files on a hard drive and modify certain Registry values making Windows operating system unusable.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
Being run, the worm shows a fake error message. This fake error message looks like a real error messages displayed by Windows XP. After a user clicks a button on that fake error message the worm opens CD-ROM tray and then opens several Windows configuration windows that can be usually opened from Control Panel: display, add/remove programs, time/date properties and a few others. Finally it displays the following message:
kIlLeRgUaTe Your computer now is mine, Why? Because I didn't had nothing to do and I thought, why not make the evil? Remember NOW YOUR PC IS IN MY POWER Windows Sucks! I can't stand it anymore! Windows has always sucked. Wake up people! It's a scam! You don't need a faster computer. You need a better operating system. Microsoft continuingly makes money by selling you the latest and greatest Windows. The latest Windows version is always the most inefficient yet, slowing down your fast computer. Also, now you have to upgrade all your other software too because different Windows versions are not compatible with each other! A hidden cost not mentioned at all. It's part of the scam. Capitalism Sucks!, Communism Sucks. KILLERGUATE.
Then the worm copies itself with hidden attribute to the root folder of C: drive as RUNDLL32.EXE file and modifies startup keys for the following file extensions:
exe com bat pif hta ht
The worm also creates/modifies several Registry entries, that do not allow system logoff, closing of Explorer, opening Task Manager, locking of workstation and changing a password.
The worm spreads itself in emails to all addresses found in Outlook Address Book. An infected message looks like that:
Subject:
Symantec: New serious virus found
Body:
Norton Security Response: has detected a new virus in the Internet. For this reason we made this tool attachement, to protect your computer from this serious virus. Due to the number of submissions received from customers, Symantec Security Response has upgraded this threat to a Category 5 (Maximum ).
Attachment:
Norton_Symantec_Tool.exe
The worm tries to copy itelf as 'Norton 2003 Pro.exe' file to Kazaa P2P (peer-to-peer) client's shared folder, but there's an error in that routine and such an event never happens.
The worm has a dangerous payload. It can delete the following files from an infected hard drive:
C:\WINNT\system32\ntoskrnl.exe C:\WINNT\system32\command.com C:\WINNT\regedit.exe C:\windows\system32\ntoskrnl.exe C:\windows\system32\command.com C:\windows\regedit.exe C:\AUTOEXEC.bat C:\config.sys C:\WINNT\system32\*.exe C:\WINNT\system32\*.com C:\WINNT\system32\*.dll C:\WINNT\system32\*.ocx C:\windows\system32\*.dll C:\windows\system32\*.ocx C:\windows\system32\*.exe C:\windows\system32\*.com
Also the worm can delete all files from the following folders:
C:\WINNT\system C:\windows\system C:\WINNT\system32 C:\windows\system32 D:\