Scano.L - F-Prot Antivirus Virus Information

Virus Info > Virus Threats > Scano.L

W32/Scano.L

Summary of W32/Scano.L
Discovered:	9 May 2006
Definition files:	9 May 2006
Risk Level:	Medium
Distribution:	Low

Jump to:

Brief description
Technical description
Removal Instructions

Brief Description

W32/Scano.L is a mass-mailing worm. It harvests e-mail addresses from the infected computer and sends a copy of itself via e-mail to the harvested addresses. It also tries to download and execute files from the internet.

Technical Description

Upon first execution of the worm it copies itself to %WINDIR%\csrss.exe and executes it.

The worm creates the registry key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe]

and adds the value:

"Debugger"="%WINDIR%\csrss.exe"

to it.

The unpacked version of the worm contains the string:

/scannow

from this the worm derives its name.

It harvests e-mail addresses on all available hard drives, in all files having one of the following extensions:

adb
asp
cfg
cgi
mra
dbx
dhtm
eml
htm
html
jsp
mbx
mdx
mht
mmf
msg
nch
ods
oft
php
pl
sht
shtm
stm
tbb
txt
uin
wab
wsh
xls
xml
dhtml

It avoids sending itself to addresses containing any of the following substrings:

@example.
2003
2004
2005
2006
@microsoft
rating@
f-secur
news
update
.qmail
.gif
anyone@
bugs@
contract@
feste
gold-certs@
help@
info@
nobody@
noone@
0000
Mailer-Daemon@
@subscribe
kasp
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
torvalds@
sopho
@foo
@iana
free-av
@messagelab
winzip
google
winrar
samples
spm111@
.00
---
abuse
panda
cafee
spam
pgp
@avp.
noreply
local
root@
postmaster@

Removal Instructions

For general removal instructions please click here.

Marteinn Þór Harðarson

Virus Info by Platform

W32	Script	Macro
DOS	UNIX	All

Virus Info by Letter:

A	B	C	D	E	F
G	H	I	J	K	L
M	N	O	P	Q	R
S	T	U	V	W	X
Y	Z	All

F-PROT Antivirus Alerts

Stay up to date with important developments via e-mail.

Life cyle policy

Stay up to date with life cycle policies for F-PROT Antivirus for Windows.

Virus news and information directly to your desktop.

Glossary of Terms

Definitions of common antivirus terminology.

More Virus Info

For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)

Legal notices | Privacy policy | FRISK Software International © 1993-2009. All rights reserved.

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is 00a@eircom.net 0maaahonyy@eircom.net 950@eircom.net af@eircom.net am@eircom.net ar@eircom.net as@eircom.net b1@eircom.net boss3@eircom.net ceih@eircom.net cera@eircom.net chxe@eircom.net cs@eircom.net cydw@eircom.net d71@eircom.net dpfy@eircom.net dzuv@eircom.net ehpa@eircom.net epin@eircom.net f1@eircom.net fa@eircom.net fdld@eircom.net fdnv@eircom.net gacg@eircom.net gafj@eircom.net gc@eircom.net gz@eircom.net ha@eircom.net he@eircom.net ia@eircom.net ja@eircom.net k2@eircom.net lleahy6@eircom.net m1@eircom.net no@eircom.net pb@eircom.net qq@eircom.net r6oo@eircom.net ra@eircom.net s2@eircom.net t2@eircom.net ua@eircom.net va@eircom.net vb@eircom.net w2@eircom.net ww2@eircom.net xxxkiss@eircom.net y1@eircom.net ya@eircom.net zz@eircom.net