Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Scold.A

Win32/Scold.A is a worm spreading in the form of a file in the attachment of an e-mail. It works in Windows 95 or newer versions of Windows operating system. It is written in VisualBasic and its body has a length of 28160 bytes. It is compressed by UPX utility. After it is decompressed its length is 77 Kb.

Note: In following text a symbolic inscription %windir% is used instead of the name of directory in which Windows operating system is installed. Of course, this may differ from installation to installation. The subdirectory System or System32 placed in %windir% has a name %system%.

The worm arrives with the message having subject: When It's Cold Outside She Gives Me Warm Inside. The subject line can begin with either "Re:" or "Fw:". There is a following text in the body of the message.

You will love this cute picture.
Enjoy this great picture.
Don't miss this cool picture.

The rest of the message body should imply that the message has been scanned by an antivirus system and the message is virus-free.

Free Online Virus Scan
=============
100% VIRUS FREE
No viruses or suspicious files were found in the attached file.

The message has an attachment having length of 28160 bytes with a random names with extension ".scr". The attachment is a worm Win32/Scold.A

Upon opening the attachment the worm shows the following picture.

And it creates its copies named "Warm.scr" in the directory %windir%. The length of both files is 28160 bytes. It assures the activation of the copy of the worm after restarting the system by creating an item ExeName32 in the system registry HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. It sets its value to %windir%/Warm.scr.

The worm acquires addresses for its spreading from the MS Outlook client and from selected file with the following extensions: htm, html and ctt.

NOD32 detected the worm Win32/Scold.A using extended heuristics without upgrading. The detection using Win32/Scold.A sample is added from version 1.577.