WORM_RANSOM.FD
WORM_RANSOM.FD may be downloaded from certain remote websites by other malware or it can be downloaded unknowingly by you, when visiting untrusted web pages. Once installed and active on a computer, WORM_RANSOM.FD typically alters registry entries in order to enable its automatic execution when Windows starts. WORM_RANSOM.FD will gather all your email addresses from cached emai messages, address books and mail boxes, and then send email messages with a copy of itself as an attachment to these captured email address. The email reads as follows:
"SUBJECT:
You are a very lucky man, read this mail!
BODY:
Hi, you won a big amount of money!!! If you want to know more look at the attachment!
ATTACHMENT:
BigCashForYou.exe"
If you receive this or a similar email, delete it quickly. If you discover that your computer is infected with WORM_RANSOM.FD, remove it as soon as possible.
File System Modifications
- The following files were created in the system:
# File Name 1 %System%\\kkk.exe 2 %System%\\recovery.exe 3 BigCashForYou.exe
Registry Modifications
- The following newly produced Registry Values are:
HKEY..\..\..\..{Subkeys}HKEY_CURRENT_USER\Identities\{0C0763B6-7496-4D73-AF61-F747E5CEBA0A}\Software\Microsoft\Outlook Express\5.0\Mail Warn on Mapi Send = "0"HKEY..\..\..\..{RegistryKeys}Windows Recovery Console = "%System%\recovery.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\..{RunKeys}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.