The new W32.Refoav@mm worm is the most serious new worm/virus threat to emerge recently. Arriving as a message with the subject: "No esta registrado el usuario," it infects a system if a user on that system opens an infected attachment (named "FOAVRE.exe"). Refoav copies itself into Windows systems as C:\FOAVRE.exe and immediately afterwards creates two additional files, C:\Vbseli.vbs and C:\Datospc.dat. It sets the attributes of each of these files to Hidden and Archive; it also sets the System attribute on c:\Datospc.dat. It then adds the value: "Load"="c:\vbseli.vbs" to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run in the infected system's Registry, enabling this worm to run whenever the system boots.

Finally, Refoav uses Microsoft Outlook to transmit itself to every address in the Outlook Address Book on the infected system. Refraining from opening attachments from people you do not know and keeping your system's anti-virus software up to date are the best preventative measures against Refoav and most other viruses and worms. If your system becomes infected by Refoav, here are the clean-up procedures.

During the month of March, the LBNL Virus Wall detected and eradicated a total of 4,214 worms and viruses. Once again the Klez.H worm was by far the most prevalent with 2,948 instances. The Gibe worm was second with 415 instances. Gibe usually arrives in the form of a purported "Internet Security Update" that instructs users to update their systems by downloading and executing a file that contains the Gibe code itself.

Yaha.G was third with 345 instances, although it is interesting to note that the number of instances for all variants of Yaha (Yaha.G and other versions of this worm), which totaled 565, outnumbered Gibe instances. Klez and Yaha have caused considerable confusion in that they read address books in infected systems, using each address they find as the sender's address of the infected messages they compose and then send.