Fourcourse is a Visual Basic Script trojan which consists of two VBS files. The first file carries another Visual Basic Script which it drops in the root of C: drive as sysw32.vbs.
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
Detailed instructions for F-Secure security products are available in the documentation found in the Downloads section of our Home - Global site.
You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.
It also changes Windows registry by adding the following key:
- HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sysw32= C:\sysw32.vbs
So the next time the system is restarted, the trojan in sysw32.vbs is executed.If the system date is after April 1st, 2003 the script code in sysw32.vbs tries to use all four COM ports to dial a phone number.
F-Secure Anti-Virus detects Fourcourse trojan with the updates published on March
Detection Type: PC
Technical Details:Katrin Tocheva and Sami Rautiainen; F-Secure Corp.; March 11th, 2003