A new Messenger worm Fleming has been found on October 9th, 2002. The worm spreads using the following message:
"Hey!! Could you please check out this program for me ? : ) I made it myself and want people to test it. Its a readme with the program that explains what it does! [link to the infected web page] -- There you can download it! give me advices on what to upgrade please!!
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
Once executed from the file BR2002.exe on the web page, the worm automatically updates itself and saves on C: drive as:
C:\update35784.exe
Fleming worm also saves another file CS-Keygen.exe as:
C:\hehe2397824.exe
contacted the ISP responsible for the web site and the page containing the worm has been closed immediately. This makes the worm unable to spread and update itself further.