nvcpl.exe - Dangerous
%sysdir%\nvcpl.exe
Manual removal instructions:
Antivirus Report of %sysdir%\nvcpl.exe:
%sysdir%\nvcpl.exe
Worm W32.Yanz.B@mm
It is a mass-mailing worm that uses its own SMTP engine for spreading.
1. Adds to Windows startup.
It masks to NVIDIA control panel application NvCpl.exe.
2. Creates the files
%System%\Dong_Shi.exe
%System%\NvCpl.EXE
C:\Yanzi.htm
%Windir%\Sun_YanZI.zip (a zip file that contains a file Sun_Yan_Zi-Shen_Q1.mp3.pif - it is a copy of the worm)
%System%\Huai_Tian_Q1.sys ( an MIME-encoded zip file that contains a file Sun_Yan_Zi-Shen_Q1.mp3.pif - it is a copy of the worm)
%System%\I_am_Sun_Yanzi.sys. (an MIME-encoded worm)
YanZi.vbs. (this file is created in the current folder and it creates the file sun.exe)
When the file sun.exe runs, it creates three .jpg files under %Temp% folder. The file names have "SuN" as prefix.
One of these files is a Trojan that exploits the Microsoft GDI+ Library JPEG Segment Length Integer Underflow vulnerability (described in the Microsoft Security Bulletin MS04-028) to download and execute a file named m00.exe, from the domain sunyanzi.fastmail.cn. This file is also a Trojan.
| %sysdir%\nvcpl.exe | Malware |
| %sysdir%\nvcpl.exe | Dangerous |
| %sysdir%\nvcpl.exe | High Risk |
It is a mass-mailing worm that uses its own SMTP engine for spreading.
1. Adds to Windows startup.
It masks to NVIDIA control panel application NvCpl.exe.
2. Creates the files
%System%\Dong_Shi.exe
%System%\NvCpl.EXE
C:\Yanzi.htm
%Windir%\Sun_YanZI.zip (a zip file that contains a file Sun_Yan_Zi-Shen_Q1.mp3.pif - it is a copy of the worm)
%System%\Huai_Tian_Q1.sys ( an MIME-encoded zip file that contains a file Sun_Yan_Zi-Shen_Q1.mp3.pif - it is a copy of the worm)
%System%\I_am_Sun_Yanzi.sys. (an MIME-encoded worm)
YanZi.vbs. (this file is created in the current folder and it creates the file sun.exe)
When the file sun.exe runs, it creates three .jpg files under %Temp% folder. The file names have "SuN" as prefix.
One of these files is a Trojan that exploits the Microsoft GDI+ Library JPEG Segment Length Integer Underflow vulnerability (described in the Microsoft Security Bulletin MS04-028) to download and execute a file named m00.exe, from the domain sunyanzi.fastmail.cn. This file is also a Trojan.
Dmitry Sokolov:
I created UnHackMe in 2006 to fix the problem that antivioruses did not fix: detecting rootkits.
Since that time I work every day to fix the issues that antiviruses cannot.
If your antivirus have not helped you solve the problem, you should try UnHackMe.
We are a small company and you can ask me directly, if you have any questions.