Fourcourse is a Visual Basic Script trojan which consists of two VBS files. The first file carries another Visual Basic Script which it drops in the root of C: drive as sysw32.vbs.
Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.
More scanning & removal options
More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.
You may also refer to the Knowledge Base on the F-Secure Community site for more information.
It also changes Windows registry by adding the following key:
- HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sysw32= C:\sysw32.vbs
So the next time the system is restarted, the trojan in sysw32.vbs is executed.If the system date is after April 1st, 2003 the script code in sysw32.vbs tries to use all four COM ports to dial a phone number.
F-Secure Anti-Virus detects Fourcourse trojan with the updates published on March
Technical Details: Katrin Tocheva and Sami Rautiainen; F-Secure Corp.; March 11th, 2003