Is this virus or worm and which?

mac_john20033
mac_john20033 used Ask the Experts™
on
Recently in my mail box come sa mail ,
subject called WindowsXP Service Release Pack 2.002
and the attchment called install.exe
and after that message come in error window called "Error! This process will be terminated."
and after that mass-mailing from my mail box to my friend with my name.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
first john this is an Worm called W32/Pepex.c@MM This mass-mailing worm attempts to harvest addresses from cached web pages, spreads via Internet Relay Chat and the KaZaa, Morpheus, and Bearshare peer to peer file sharing applications
the worm is saved to the WINDOWS SYSTEM directory as WINSYS#.EXE, where # is a 2 or 3 digit number. A registry run key is created to load the worm at startup:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run\Kernel32.dll module=%Worm Path%
The worm attempts to use WINZIP32.EXE to create a .ZIP version of itself in the WINDOWS SYSTEM directory, using the same name as the dropped .EXE file in that directory. It then overwrites the mIRC script.ini file with instructions to send the .ZIP copy to user who join the same channel as the infected user. If WINZIP32.EXE is not installed on the infected system, the SCRIPT.INI instructions will fail.
A base64 encoded version of the worm is written to the root directory as BOOT64.BIN. This is used by the worm during its email function. Email addresses are harvested from the *.HTM files in the Temporary Internet Files directory and subdirectories. The worm attempts to send itself to the addresses found.

The worm queries the registry for the KaZaa transfer directory. It then creates copies of itself in the specified folder using one of the following file names:
kmd22.exe
winxpserial.exe
wamp3.exe
wmplay9.exe
Attempts are also made to copy the worm to the following folders, using the same filenames:
C:\Program Files\Edonkey2000\Incoming
C:\Program Files\Bearshare\Shared
C:\Program Files\Morpheus\My Shared Folder
After infection occurs a registry key value is created:

HKEY_LOCAL_MACHINE\Software\PieceByPieceB "inf"=yep

to remove the worm delete the registry
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
delete the key and restart the machine
this will solve your problem.

Commented:
I agree with bhushan_paranjpe. You can view the virus description of McAfee:

http://vil.nai.com/vil/content/v_99796.htm

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial