From; Sophos Alert System: Name: W32/Nopir-B Type: Win32 worm Date: 20 April 2005 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the June 2005 (3.94) release of Sophos Anti-Virus. Customers using EM Library, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. At the time of writing, Sophos has received a small number of reports of this worm from the wild. Information about W32/Nopir-B can be found at: http://www.sophos.com/virusinfo/analyses/w32nopirb.html W32/Nopir-B is a worm for the Windows platform. W32/Nopir-B will display an anti-piracy image on the screen when run. The worm will then delete all COM and MP3 files from the computer. The worm will also disable taskmanager, registry tools, and access to the control panel. W32/Nopir-B will also check for debuggers and may attempt to disable any such software that it finds. W32/Nopir-B copies itself to <Program Files>\Projects Visual Studio.NET\Nctrup.exe, <Program Files>\Restore\<random name>.exe, <Program Files>\eMule\Incoming\AnyDVD 5.1.0.1 Crack+Keygen By Razor.exe. W32/Nopir-B will create the following registry entries: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Verif <Program Files>\Restore\<random name>.exe HKLM\Software\Microsoft\Windows\CurrentVersion\Run securw <Program Files>\Projects Visual Studio.NET\Nctrup.exe HKCR\exefile\Shell\open\command <Program Files>\Projects Visual Studio.NET\Nctrup.exe HKCR\batfile\Shell\open\command <Program Files>\Projects Visual Studio.NET\Nctrup.exe HKCR\comfile\Shell\open\command <Program Files>\Projects Visual Studio.NET\Nctrup.exe HKCR\scrfile\Shell\open\command <Program Files>\Projects Visual Studio.NET\Nctrup.exe HKCR\piffile\Shell\open\command <Program Files>\Projects Visual Studio.NET\Nctrup.exe HKCR\vbsfile\Shell\open\command <Program Files>\Projects Visual Studio.NET\Nctrup.exe HKCR\vbefile\Shell\open\command <Program Files>\Projects Visual Studio.NET\Nctrup.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoControlPanel 1 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgr 1 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableRegistryTools 1 This IDE file also includes detection for: Troj/Fireby-A http://www.sophos.com/virusinfo/analyses/trojfirebya.html W32/Mytob-AF http://www.sophos.com/virusinfo/analyses/w32mytobaf.html W32/Mytob-AE http://www.sophos.com/virusinfo/analyses/w32mytobae.html Troj/Istbar-AY http://www.sophos.com/virusinfo/analyses/trojistbaray.html W32/Mytob-AD http://www.sophos.com/virusinfo/analyses/w32mytobad.html Troj/Dloader-ML http://www.sophos.com/virusinfo/analyses/trojdloaderml.html Troj/Zaurga-A http://www.sophos.com/virusinfo/analyses/trojzaurgaa.html Troj/ConycSp-C http://www.sophos.com/virusinfo/analyses/trojconycspc.html Download the IDE file from: http://www.sophos.com/downloads/ide/nopir-b.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member