Anthony Joe Melgarejo
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Downloaded from the Internet
This worm may be downloaded from remote sites by other malware.
02 May 2013
This worm may be downloaded from remote site(s) by the following malware:
This worm downloads updated copies of itself from the following websites:
This worm checks for the presence of the following process(es):
Once it finds the browser processes mentioned, it will look for the c_user and xs cookies to bypass Facebook authentication.
Then, it will utilize a Facebook Anti-CSRF token, fb_dtsg, to spam messages containing a sentence and the link to the updated copy of itself.
The sentence is written in 11 different languages:
i cant believe i still have this picture
kennst du das foto schon?
ken je dat foto nog?
podivejte se na mou fotku
ser pa dette billede
mira como saliste en esta foto
katso tata kuvaa
se pa dette bildet
titta pa denna bild
c'est la photo la plus marrante!
la foto e grandiosa!
02 May 2013
03 May 2013
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.
Identify and terminate files detected as WORM_KUVAA.A
Remove the malware/grayware file that dropped/downloaded WORM_KUVAA.A
Scan your computer with your Trend Micro product to delete files detected as WORM_KUVAA.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.