FANDOM


Email-Worm.Win32.Calposa or Calposa is a worm that spreads through email. The worm itself is a Windows PE EXE file about 57KB in length and is written in Visual Basic.

Details

Calposa spreads as an attachment to infected emails as well as through the Kazaa file sharing network.

The infected email messages have the following attributes:

Subject: Anti-Virus Programs are corrupting your Software!

Want to know why you get junk mail? Well Here is proof that AV's are corrupting your programs and Sell your Private information to Web Company's! Why do you think there are so much virus's out there? well its these Company's that spread them and then sell you there product to delete them! check it out now... (p.s. its attatched)

Attachment: ActiveX.exe, or Telnet.exe, or MSWord.exe

The worm activates from an infected email only when a user clicks on the attached file. The worm then installs itself to the system and runs its spreading routine and payload.

Installing

While installing the worm copies itself to the system under the following names:

C:\Windows\ActiveX.exe

C:\Windows\SCR.exe

C:\Windows\Explorer.exe

C:\Windows\Telnet.exe

C:\Windows\MSWord.exe

C:\Windows\FUCK_AVs.exe

C:\Windows\regedit.exe

C:\Windows\Mixer.exe

C:\WINDOWS\System\Explorer.exe

The worm does not register any of these files neither in system registry auto-run key, nor in any else "auto-run" key or command.

Spreading: Email

To send infected messages the worm uses MS Outlook and sends messages to all addresses found in Outlook address book.

Spreading: Kazaa

The worm copies itself to the "C:\Program Files\KaZaa\My Shared Folder\" directory with following names:

norton_crack.exe

UT3_full_crack.exe

Windows_Hack.exe

Sims_Patch.exe

If this directory is a Kazaa file-sharing directory, the worm will spread over the Kazaa network.

Payload

The worm displays the message:

UH OH WORM!

... Calposa by Industry @ ANVXgroup ...

The worm writes to the "c:\Windows\System.ini" file following data:

[About]

Author = Industry

VXgroup = ANVXgroup (Auxnet)

Virus = ANVX (WIN32.calposa@mm)

Shouts to = Indovirus, mANiAC89, Retro, Iwing, and every one else.

Fuck = Fuck all AV's, we keep you in a job so give us a bit of slack!

To the rest = ANVX the one and only!

On April 1 the worm deletes all files in following directories:

 C:\Windows\

 C:\Windows\System32\

 C:\Windows\System\

 C:\Windows\inf\

 C:\Program Files\Kazaa\

then it deletes the file:

 C:\AutoExec.bat

and displays the message:

Industry ...ping? pong!...

On February 16 the worm displays a red colored picture with a text "ANVX by industry" on it.

On April 2 the worm displays the message:

UH OH WORM! ... Second Release From Industry ...

Videos

Email-Worm.Win3205:47

Email-Worm.Win32.Calposa

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.