Malware type: Worm

Aliases: Email-Worm.Win32.Recory.a (Kaspersky), W32/Revocer.a@MM (McAfee), W32.Recory@mm (Symantec), Worm/Recory (Avira), W32/Recory-A (Sophos),

In the wild: No

Destructive: Yes

Language: English

Platform: Windows 95/98/ME/NT/2000/XP

Encrypted: Yes

Description: 

This worm uses Microsoft Outlook to spread copies of itself via email. It sends itself as attachment in an email, with details as follows, to all email addresses in the distribution lists of the Microsoft Outlook address book:

Subject: <could be any of the following>
Microsoft Support
Fwd: Computer Virus fix Tool
Fwd: Computer Virus Alert
Fwd: Latest News
Fw: Important
Fwd: Latest Computer Virus outbreak
Fwd: Damaged Software information
Fwd: Urgent inforation
Email Security Update
Fw: Serious Alert
From helpdesk support
Fw: Read this
Free support
Technical support
Fw: Client support
Security update
Software patch
Microsoft news
Fwd: Software alert
Important information
Fwd: Help on Computer issue
Fw: High-threat computer virus fix
Fwd: Computer issues
Fwd: Severe virus alert
Software support
Fw: Attention users
Fwd: Email virus alert
High-risk computer virus removal
Fwd: Attention employees

Message Body:
Hello readers,
I have just cleaned my computer from a highly damaging computer virus
Which is spreading rapidly through computer networks worldwide.

There is one way to check to see if your computer is infected with this virus.

Click the "Start" menu at the bottom left of your screen.
Click the "Find" or "Search" button.
Click the "Files or folders..." option.
Then once the search application starts, type "Jdbgmgr.exe"

If you have found this file, right-click on it and click the "Properties" tab.
If the Properties menu has a picture of a bear on it,
your computer is infected with this virus. (Note that the non-infected file picture has a hammer and a screwdriver shown in it)
You may delete this file, but this is not the only file that the virus infects,
To remove this virus, I have included a virus removal tool in the attachments ""
that will scan all system files and remove any infectious code from them.
This virus removal tool is very easy to use. If you have any trouble with this tool, read the help menu that the removal tool supplies.
If your computer is infected with this virus, It is strongly recommended that you send this removal tool to as many people as you can to help remove the traces of this virus worldwide.

Attachment: <could be any of the following>
Fixvir.exe
Fixtool.exe
Remove32.com
Virusremove.pif
Cleanvir.pif
Recovery.exe
Scan32.pif
Cleaner.pif
Cleanvirus.com
Removal.exe
Deletevir.com
Scanvir.pif
Killvirus.com
Killvir.com
Virusfix.exe
Fixvirus.com
Fixvir.pif

It also drops several copies of itself on shared folders of ICQ and Kazaa, making itself easily accessible for other users to download.

This worm overwrites the system file, Jdbgmgr.exe, and disguises itself as a virus fix tool from a known antivirus vendor.

For additional information about this threat, see:
Solution
Technical Details

Description created: Dec. 31, 2002 10:41:27 PM GMT -0800
Description updated: Dec. 31, 2002 11:16:36 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.