Installer6.exe

Have YOU Received An Email With The Installer6.exe File?

Beware....

There is a NEW worm spreading via the Internet. It looks as though it has
come from Microsoft. Infact everything about it looks like it has come from
Microsoft....

EXCEPT...

That Microsoft DO NOT send attachments in their emails! Nope NEVER!

The following is a snapshot of the Installer6.exe worm:

Click for a larger image of the Installer6.exe email

This email does really look as though it could have come from Microsoft!

(This virus is much more professional looking than the recent Dumaru-A virus
pretending to be a patch from the Microsoft team...)

Another reason for spotting that this Installer6.exe email is NOT genuine is that
it refers to the "September 2003, Cumulative Patch" for Internet Explorer...

As of today, 19th September 2003, there IS NO September 2003, Cumulative Patch
for Internet Explorer!

The current patch is:

August 2003, Cumulative Patch for Internet Explorer 6 Service Pack 1 (822925)

Techy Bit......

This is a mass-mailing worm that poses as a legitimate email from Microsoft Windows Update.

It is official name is: W32/Swen@MM or W32/Swen-A or W32/Gibe-F

The worm also attempts to propagate via peer-to-peer (P2P) file-sharing networks, such as Kazaa, via IRC and also via newsgroups.

Furthermore, it terminates running antivirus and firewall software running on an infected system.

It was first discovered on the 18th September 2003.

The attachment may also be called Install6.exe

The worm sets several entries in the registry to signify installation, confirm KaZaA infection and to prevent REGEDIT.EXE from running.

The worm copies itself to the Windows folder as a randomly-named lowercase executable (e.g. jlfsm.exe) and adds an entry to the registry at

HKLM\Software\Microsoft\Windows\CurrentVersion\Run to run itself on system restart.

The worm also changes the entries in the registry at:

HKCR\exefile\shell\open\command
HKCR\regfile\shell\open\command
HKCR\comfile\shell\open\command
HKCR\batfile\shell\open\command
HKCR\piffile\shell\open\command
HKCR\scrfile\shell\open\command
HKCR\scrfile\shell\config\command

so that it is run before EXE, COM, PIF, BAT, SCR files and to display a false error message (e.g. "Error occurred Memory access violation in module kernel32 at :") when REG files are opened.

If YOU have been infected PLEASE see your anti virus vendor's website for removal instructions...

Or you could try the following tool suggested by a fellow site visitor, Rosana Hart, webmaster of www.training-dogs.com

She successfully used the removal tool from BullGuard AntiVirus after her husband thought the email was a legitimate one from Microsoft.

So in closing....

Remember that Microsoft DOES NOT send attachments in its emails, and make sure YOUR anti virus software is up to date at all times...

There are a host of email viruses that pretend to be from Microsoft. This latest one, the Installer6.exe, will NOT be the last..

I hope this article was helpful and informative.

Sign Up For The 1st Windows XP Talking Newsletter!

Windows XP News
Windows XP Tips
Patch Update News
Info on Internet Explorer and Outlook Express
Windows Media Player Plugin Reviews
And so much more......

Get regular Windows XP news and tips -
make XP work the way YOU want it to work!

More Articles at the Main Article Index | Recent Newspaper Article Featuring This Site!

Make sure YOU sign up for my EXCLUSIVE FREE XP Newsletter!

Regards

Marc Liron
marc@updatexp.com

PS - This popular website is in the TOP 1% of visited websites online today! Need traffic like that for your website? Click Here

The views on this website are my own and not that of Microsoft.
I am not responsible for the content of any sites linked to.
ALL Trademarks are freely acknowledged
ALL information is provided "As Is"

This page was last updated 19th September 2003

Home Page | Privacy Policy | Windows XP Tips | About Me

An article on the installer6.exe virus