How it works
Finaldo can arrive by e-mail. The randomly named attached e-mail file, usually always identified with a Chinese national flag icon, can execute automatically on some versions of Internet Explorer. Users of Internet Explorer 5.0 or 5.01 should update to the latest version of Internet Explorer, or apply the following patch. If a user opens the attached file, Finaldo will look for e-mail clients and send copies of itself to any sender's e-mail address it finds.
Another way for Finaldo to spread is via shared network directories. After infection, the virus part of Finaldo will attempt to infect EXE, OCX, and SCR files on the infected computer and any directories connected to the invaded machine. Finaldo appends itself to the ends of these files, changing their overall file size. For some reason, Finaldo will not infect the files ntoskrnl.exe or WinZip self-extracting archives. On ASP, HTM, and HTML files, Finaldo attempts to append JavaScript code so that these pages, when viewed, can infect other users (like the Nimda worm). Fortunately, this feature does not work at this time.
Finaldo contains the following message in its code:
- Coded_by_CJH
Finaldoom is coming! Don't worry... It's no harm to your system !
It's only a demo version
Made in China
Removal
Most antivirus software companies have updated their signature files to include this worm. For more information on removing this worm from your system, see F-Secure, Kaspersky,McAfee, Sophos, Symantec, and Trend Micro.
From the write up this appears to be an Outlook Worm
- like so many others. Its clearly a Windows worm
because it uses EXEs. If this is a Microsoft Windows Outlook Worm - this needs to be said. When I use
Windows I avoid using Outlook because there are so many worms.
I agree with those who say "Computer Virus" or "Internet Virus" are misleading terms. "MS Windows Outlook Virus" is a much cleared term.
-dave