I have just found this on FOUR computers on my Network!
WORM_REDIST.E is a non-destructive worm that spreads via email using Microsoft Outlook, and via peer-to-peer (P2P) file-sharing networks. It also has password-stealing capabilities. It runs on Windows 95, 98, ME, NT, 2000, and XP.
Upon execution, this worm displays the following message box:
Error Starting Progam
A required .DLL file, MSVBM60.DLL, was not found.
It drops the following copies of itself into the Windows folder:
It drops the following copies of itself into the Windows system folder:
It drops the following copy into the Startup folder:
The worm creates registry entries that allow its dropped copy, WINSCZ32.EXE, to execute at every Windows startup.
This worm propagates by sending a copy of itself to all email addresses found in the infected users' address book. It uses Microsoft Outlook (MAPI) to send email with varying details. A sample of the email it sends, are as follows:
Subject: A new screensaver
Message Body: Take a look at this new screensaver in the attachments that I downloaded from the internet a while ago. If you like it, try setting it as your system screensaver :) Cya!
Subject: Your file
Message Body: Here is that file that you asked for (in the attachments). Sorry that I sent it late, I had trouble finding it on the computer.
This worm also attempts to propagate to other P2P and chat clients. To do so, it drops the following copies of itself:
Bruce Almighty (Downloader).pif
Legally Blonde 2 (Downloader).pif
Movie - Finding Nemo (Downloader).pif
Movie - Terminator 3 (Downloader).pif
Movie - The Hulk (Downloader).pif
Movie - The Italian Job (Downloader).pif
Sinbad - Legend of the Seven Seas (Downloader).pif
into the following paths, if they exist:
%Program Files%\Grokster\My Grokster
%Program Files%\ICQ\Shared Files
%Program Files%\Kazaa Lite\My Shared Folder
%Program Files%\Kazaa\My Shared Folder
%Program Files%\KMD\My Shared Folder
%Program Files%\Morpheus\My Shared Folder
%Program Files%\WinMX\My Shared Folder
This worm also drops randomly named files into the following paths:
\My Documents\My Music
This worm also attempts to capture and send cached passwords to a remote malicious user. This function only applies on systems running Windows 95 and 98, since the API used is not available on NT-based systems. It appears that the information is being sent to the following email address:
I got this info from Trend Macro.
which AV did you find it with or did you look for it after seeing the stuff in trend macro?
has any body else had problems like this?
I used Mcaffe first but that didnt find anything, then i got this in a email from trend macro so i done a quick scan with PC-Cillin and it picked it up straight away!
I assume you have managed to remove it then...
yes pc cillin cleaned them with no problem.