W32.Rarbeauty Worm

Subscribe to Virus Alert
Mailing List

Enter your Email
(Ex : john@company.com)

W32.Rarbeauty Worm

Information about the W32.Rarbeauty Worm:

W32.Rarbeauty is a mass mailing worm. The worm will infect Windows systems and spreads by attaching itself to emails sent to all Microsoft Outlook contacts.

Upon execution the worm copies itself as the following files;

ctfmon.exe in Windows\Help folder,
msconfig.exe, regedit.exe and regedit32.com in Windows System folder,
svchost.exe in Windows\Web folder,
autorun.inf in Root of the Drive
(File_Name).exe in Windows\(Folder_Name) folder where

(Folder_Name) will be one of the following:

system
web
fonts
temp
help

and (File_Name) will be any of the following names:

winlogon.exe
csrss.exe
taskmgr.exe
lsass.exe
smss.exe
svchost.exe
internat.exe
spoolsv.exe
kav.exe
conime.exe

It also copies itself to all folders on all drives or overwrites any file it finds in the following pattern:

%DriveLetter%\(Folder_Name)\(Folder_Name).exe

The worm also overwrites notepad.exe and regedit.exe present in the Windows System folder.

The worm modifies the registry at the following location to load itself during each startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit"

The worm sends itself as an email attachment to all outlook contacts with the following characteristics:

The "Subject" of the mail will be any one of the following:

!Your account have been ready!!
BY Microsoft Visual Studio
Beautifulgirl
CAN I HELP YOU
Can you help me?
Help me to test the Gameprogram?
Is it the Document that you want
Is it ther Document that you want? YOU can see it by runing the attachment
Microsoft Visual Studio is found A LOT BUG! Try to repair by attachments!
She is the most beautiful girl of china
The best important mend of Microsoft ,Please run the mend!!
You can see
You should run the mend at once,or you will be infected by the most severity virus SOO
Your account have been ready! Open the email

The name of the "Attachment" will be any one of the following:

Accountaffirm.com
Accountaffirm.rar
Accountaffirm.pif
Beautifulgirl.pif
Beautifulgirl.rar
Beautifulgirl.com
Gameprogram.pif
Gameprogram.rar
Gameprogram.com
ImportantFile.doc.exe
ImportantFile.rar
ImportantFile.pif
ImportantMend.doc.exe
ImportantMend.rar
ImportantMend.pif
MicrosoftVisualStudio_BuG.exe
MicrosoftVisualStudio_BuG.rar
WINDOWSUPDATE.com

This worm first appeared on December 12, 2007.

Other names of W32.Rarbeauty Worm:

This Worm is also known as W32.Rarbeauty@mm.

Download the FREE Evaluation copy of Protector Plus antivirus software

About Protector Plus Antivirus Software Packages:

Proland Software is the developer of Protector Plus range of antivirus software packages. Protector Plus 2007 is available for Windows Vista, Windows 95/98/Me, Windows XP, Windows NT/2000/2003 servers and workstations, MS-Exchange 2000/2003, MS-DOS and NetWare servers.

Special Offer Order Protector Plus Antivirus software Now and get SpamChoke Antispam Software worth $29.95 FREE!

Protector Plus range of antivirus products offer on-line virus detection and removal. All the packages have the ability to detect and isolate all types of viruses, trojans, worms and other types of malware.

These products are updated on a continuous basis and the latest upgrades for all the platforms are made available for downloading from this site.

Click here to order
Protector Plus anti virus software