New Virus on the loose

  [DELETED] 16:04 20 Sep 2003

Please read the below, it does not just come with the Installer6.exe attachment, it also comes with several others, needless to say MS apparnetly do not send patches by email - Wnat a way to fibd out!!!

Have YOU Received An Email With The Installer6.exe File?


There is a NEW worm spreading via the Internet. It looks as though it has
come from Microsoft. Infact everything about it looks like it has come from


That Microsoft DO NOT send attachments in their emails! Nope NEVER!

The following is a snapshot of the Installer6.exe worm:

This email does really look as though it could have come from Microsoft!

(This virus is much more professional looking than the recent Dumaru-A virus
pretending to be a patch from the Microsoft team...)

Another reason for spotting that this Installer6.exe email is NOT genuine is that
it refers to the "September 2003, Cumulative Patch" for Internet Explorer...

As of today, 19th September 2003, there IS NO September 2003, Cumulative Patch
for Internet Explorer!

The current patch is:

August 2003, Cumulative Patch for Internet Explorer 6 Service Pack 1 (822925)

Techy Bit......

This is a mass-mailing worm that poses as a legitimate email from Microsoft Windows Update.
It is official name is: W32/[email protected] or W32/Swen-A or W32/Gibe-F

The worm also attempts to propagate via peer-to-peer (P2P) file-sharing networks, such as Kazaa, via IRC and also via newsgroups.

Furthermore, it terminates running antivirus and firewall software running on an infected system.

It was first discovered on the 18th September 2003.

The attachment may also be called Install6.exe

The worm sets several entries in the registry to signify installation, confirm KaZaA infection and to prevent REGEDIT.EXE from running.

The worm copies itself to the Windows folder as a randomly-named lowercase executable (e.g. jlfsm.exe) and adds an entry to the registry at

HKLM\Software\Microsoft\Windows\CurrentVersion\Run to run itself on system restart.

The worm also changes the entries in the registry at:


so that it is run before EXE, COM, PIF, BAT, SCR files and to display a false error message (e.g. "Error occurred Memory access violation in module kernel32 at :") when REG files are opened.

If YOU have been infected PLEASE see your anti virus vendor's website for removal instructions...

Or you could try the following tool suggested by a fellow site visitor, Rosana Hart, webmaster of click here

She successfully used the removal tool from BullGuard AntiVirus after her husband thought the email was a legitimate one from Microsoft.

So in closing....

Remember that Microsoft DOES NOT send attachments in its emails, and make sure YOUR anti virus software is up to date at all times...

There are a host of email viruses that pretend to be from Microsoft. This latest one, the Installer6.exe, will NOT be the last..

I hope this article was helpful and informative.

  Forum Editor 16:16 20 Sep 2003

In fact we've already had several posts about this, but I suppose one more can't hurt.

  [DELETED] 16:26 20 Sep 2003

Yup, I've been posting on one of the other threads about this one. I have now received nearly 70 virus emails. I have to keep checking and deleting to avoid my mailbox filing up.

As I am only a "small" private user (i.e. corporations are normally the target of virus writers) and I have never been to "kaza", do I hold the record??


This thread is now locked and can not be replied to.

Elsewhere on IDG sites

Best computer security tips

This fantastic short film is packed with hidden TV and film references

Best external graphics cards (eGPUs) for Mac

Test : les écouteurs Bluetooth Soundcore Spirit X d’Anker