Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

W32/Cissi-B

Mar 5, 2004 1:51AM PST

Aliases
Worm.Win32.Pinom.c, W32/Imbiat.worm, Win32/Pinom.C, W32.Cissi.A@mm

Type
Win32 worm

Description
W32/Cissi-B is a worm which attempts to spread by emailing itself via SMTP and by copying itself to network shares with weak passwords. The worm allows unauthorised remote access to the computer via IRC channels.
The worm copies itself to the Windows system folder as *****.EXE and changes the [boot] field within SYSTEM.INI (or WIN.INI under MS Win NT/2000/XP) to run itself on system restart. Under Windows NT-based systems the worm may change the following entry in the registry to run the worm on system restart:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

W32/Cissi-B may attempt to email itself to email addresses gleaned from files on the user's hard disk.

W32/Cissi-B attempts to copy itself to the Startup folder on remote shared computers as !IMPORTANT!.EXE or SETUP.EXE.

http://www.sophos.com/virusinfo/analyses/w32cissib.html

Discussion is locked