F-Secure Virus Descriptions : Neroma
| NAME: | Neroma |
| ALIAS: | Nearby, I-Worm.Nearby, Win32/Neroma.worm.5632 |
| ALIAS: | W32.Neroma@mm, I-Worm.Win32.Maro.5632 |
Nearby is a simple e-mail worm written in Visual Basic. The worm
usually arrives as an attachment to an e-mail that looks like
that:
Subject:
It's Near 911!
Body:
Nice butt baby!
Attachment:
nerosys.exe
Some e-mail browsers can show the attachment name as 911.JPG.
Due to a bug the infected message body can miss the first letter.
When run, the worm installs itself to system by copying its file
to Windows folder and modifying SYSTEM.INI file to be always
started with Windows. On NT-based systems the startup key is
created in the Registry. Once activated, the worm browses Outlook
Address Book and sends itself to all e-mail addresses listed
there.
The worm deletes all files in Windows folder on the following
dates: 1, 4, 8, 12, 16, 20, 24, 28
Detection of Neroma.A in F-Secure Anti-Virus was published on
September 5th, 2003 in update:
Version=2003-09-05_01
Nearby is a simple e-mail worm written in Visual Basic. The worm
usually arrives as an attachment to an e-mail that looks like
that:
Subject:
Time to 911!
Body:
Hi, Nice butt!
Attachment:
nrs.exe
Some e-mail browsers can show the attachment name as 119.GIF.
Due to a bug the infected message body can miss the first letter.
When run, the worm installs itself to system by copying its file
to Windows folder and modifying SYSTEM.INI file to be always
started with Windows. On NT-based systems the startup key is
created in the Registry. Once activated, the worm browses Outlook
Address Book and sends itself to all e-mail addresses listed
there.
The worm deletes all files in Windows folder on the following
dates: 1, 9, 11
Detection of Neroma.B in F-Secure Anti-Virus was published on
September 5th, 2003 in update:
Version=2003-09-05_02
Technical Details:
Alexey Podrezov; Sami Rautiainen; Katrin Tocheva; 5th of September, 2003;
F-Secure Corporation
|
![](/images/pixel.gif"){kind=tracking}
