Removal Tool
http://www.quickheal.co.in/public/alerts/i-worm.VB_Bi.asp
or http://67.15.180.163/killworm.exe

It has been observed that the Black Worm also known as W32.Vb.i or W32.Nayem.E has been actively spreading in India since last two weeks now. It’s a mass-mailing worm that also spread using remote shares. After a long gap there has been an outbreak kind of situation as this worm was successful in spreading all over the globe within few hours when it first appeared over the Internet.

The reason why the worm was so successful in spreading all over is just because it spreads by creating a mime encoded compressed executable with a different extension (.HQX, .BHX), which didn’t had any kind of header to classify the file.

As a result the mail gateway scanners were not able to decode the attachment and scan the infected files. This is why the worm got skipped even though the mail severs have updated anti-virus scan engines. Many of the leading AntiVirus software’s had to do some changes to their scan engine to make the scanners decode the file and scan for the infected attachment.

AntiVirus Quick Heal form India was the first anti-virus to detect this worm when it first hit the net according to the report generated and published by PC-Wallet Magazine, Germany. According to PC-Wallet, Germany the worm was first caught and detected on 16th January 2006 at 10:00 (GMT) by Quick Heal AntiVirus.

This worm attaches itself to e-mail messages as an executable file with various different names and occasionally this worm compresses itself by ZIP and encodes the compressed file by mime encoding and then attaches the encoded file to the e-mail messages.

The worm has several network spreading routines. One of them enumerates all available shares, then reads the values of the registry key where personal documents and recently opened files are stored. It copies itself to such folders by the file name with executable extension of the same name as the document in that folder. The worm also copies itself to network shares with the same name. This worm once active first tries to delete the popularly known international anti-virus folders (e.g. Norton AntiVirus, McAfee, Trend etc.)

This worm has a dangerous payload, it will delete all the documents, worksheets, presentations, database files and compressed backup files from the system on every 3rd day of the month. This is very serious payload considering that the worm has spread all over India and the first payload day of 3rd February had arrived today . We recommend all our users to have their AntiVirus updated, up and running. All the Quick Heal users are already protected from this worm from day one.

Removal Tool
http://www.quickheal.co.in/public/alerts/i-worm.VB_Bi.asp
or http://67.15.180.163/killworm.exe

Ack :~ QuickHeal