English
Log in
Search
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

HomeDescriptionsEmail-Worm.Win32.Scano.b

Email-Worm.Win32.Scano.b

Detected Apr 14 2006 03:14 GMT
Released Apr 14 2006 03:14 GMT
Published Apr 26 2006 11:35 GMT

Technical Details
Removal instructions

Technical Details

This worm spreads via the Internet as an attachment to infected emails.

It sends itself to email addresses harvested from the victim machine.

The worm itself is a Windows PE EXE file approximately 18KB in size, packed using Upack. The unpacked file is approximately 85KB in size.

The worm contains a backdoor.

Installation

Once launched, the worm causes the following Internet Explorer page to be displayed:

http://www.nah**.com/

When installing, the worm copies itself to the Windows root directory as csrss.exe:

%Windir%\csrss.exe

It then creates the following entry in the system registry:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe]
 "Debugger"="%Windir%\csrss.exe"

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Devices]  "explorer.exe"="explorer.exe"

Propagation via email

The worm harvests email addresses from the MS Windows address books and from files with the extensions listed below:

adb
asp
cfg
cgi
dbx
dhtm
dhtml
eml
htm
html
jsp
mbx
mdx
mht
mmf
msg
nch
ods
oft
php
pl
sht
shtm
stm
tbb
txt
uin
wab
wsh
xls
xml

The worm does not harvest addresses which contain the following strings:

0
2003
2004
2005
2006
@avp.
@example.
@foo
@hotmail
@iana
@messagelab
@microsoft
@msn
@subscribe
abuse
admin
anyone@
bsd
bugs@
cafee
certific
contract@
feste
free-av
f-secur
gold-certs@
google
help@
icrosoft
info@
kasp
linux
listserv
local
Mailer-Daemon@
news
nobody@
noone@
noreply
ntivi
panda
pgp
postmaster@
qmail
rating@
root@
samples
sopho
spam
spm111@
support
torvalds@
unix
update
winrar
winzip

The worm attempts to establish a direct connection to the recipient's SMTP server to send infected messages.

Infected messages

Attachment name:

The attachment contains an executable CPL file.

The attachment name is chosen at random from the list below:

  • cool
  • me
  • new
  • Re
  • you

The attachment may have a double extension. One of the extensions will be chosen at random from the list below:

  • avi
  • cab
  • doc
  • mpg
  • txt

Remote administration

The worm opens a randomly chosen TCP port and listens for commands from the remote malicious user.

Payload

The worm connects to the following servers in order to download other files without the user's knowledge or consent:

  • http://207.**.250.119
  • http://84.**.161.192
  • http://85.249.**.35

Removal instructions

  • Reboot the computer in Safe Mode (at the start of the boot sequence, press and hold F8, then choose Safe Mode from the Windows boot menu).
  • Delete the following records from the system registry:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe]
     "Debugger"="%Windir%\csrss.exe"

    [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Devices]
     "explorer.exe"="explorer.exe"

  • From the Windows root directory, delete the following file:

    %Windir%\csrss.exe
  • Reboot the computer as normal, and check that you have deleted all infected messages from all mail folders.

  • Update your antivirus databases and perform a full scan of your computer (download trial version of Kaspersky Anti-Virus).


Print
Bookmark and Share
Share
Viruses and worms
Email-Worm

Email-Worms spread via email. The worm sends a copy of itself as an attachment to an email message or a link to its file on a network resource (e.g. a URL to an infected file on a compromised website or a hacker-owned website).

In the first case, the worm code activates when the infected attachment is opened (launched). In the second case, the code is activated when the link to the infected file is opened. In both case, the result is the same: the worm code is activated.

Email-Worms use a range of methods to send infected emails. The most common are:

  • using a direct connection to a SMTP server using the email directory built into the worm’s code
  • using MS Outlook services
  • using Windows MAPI functions.

Email-Worms use a number of different sources to find email addresses to which infected emails will be sent:

  • the address book in MS Outlook
  • a WAB address database
  • .txt files stored on the hard drive: the worm can identify which strings in text files are email addresses
  • emails in the inbox (some Email-Worms even “reply” to emails found in the inbox)

Many Email-Worms use more than one of the sources listed above. There are also other sources of email addresses, such as address books associated with web-based email services.


Other versions
Email-Worm.Win32.Scano.e
Email-Worm.Win32.Scano.l

Aliases

Email-Worm.Win32.Scano.b (Kaspersky Lab) is also known as:

  • Email-Worm.Win32.Bagle.fy (Kaspersky Lab)
  • Trojan-Dropper.Win32.Agent.ami (Kaspersky Lab)
  • Trojan-Spy.Win32.Agent.lz (Kaspersky Lab)
  • Virus: W32/Areses.b@MM (McAfee)
  • Virus: W32/Areses.c@MM (McAfee)
  • Virus: W32/Areses.i@MM (McAfee)
  • Troj/Bckdr-HMB (Sophos)
  • W32/Bagle-GN (Sophos)
  • W32/Bagle-GM (Sophos)
  • Trojan.Dropper.Small-68 (ClamAV)
  • Trojan.Dropper.Agent-16 (ClamAV)
  • Trojan.Dropper.Small-66 (ClamAV)
  • Heuristic.WinPE-Statistical (Panda)
  • W32/Areses.J.worm (Panda)
  • W32/Areses.CF.worm (Panda)
  • W32/Dropper.BHJ (FPROT)
  • Dropper (FPROT)
  • Worm:Win32/Scano.dr (MS(OneCare))
  • Trojan.MulDrop.3560 (DrWeb)
  • Win32.HLLM.Perf (DrWeb)
  • Win32/TrojanDropper.Agent.AMI trojan (Nod32)
  • Trojan.Dropper.Agent.AY (BitDef7)
  • Trojan.PSW.LdPinch.r (BitDef7)
  • Trojan.Downloader.Bagle.GM (BitDef7)
  • Trojan.DR.Agent.BGY (VirusBuster)
  • Trojan.DR.Agent.BHA (VirusBuster)
  • Trojan.DR.Agent.BDA (VirusBuster)
  • Win32:Trojano-Q [Trj] (AVAST)
  • Email-Worm.Win32.Scano.b (Ikarus)
  • Dropper.Generic.ETY (AVG)
  • Dropper.Generic.EUL (AVG)
  • Dropper.Agent.AXC (AVG)
  • TR/Drop.Agent.ami.5 (AVIRA)
  • TR/PSW.WOW.u (AVIRA)
  • TR/Drop.Scano.B (AVIRA)
  • TR/Hijacker.Gen (AVIRA)
  • Trojan.Dropper (NAV)
  • W32.Beagle.EA@mm (NAV)
  • W32/Scano.BI (Norman)
  • W32/Scano.R (Norman)
  • W32/Agent.ZLT (Norman)
  • W32/Scano.Q (Norman)
  • W32/Scano.B@mm (Norman)
  • W32/Areses.b@MM (NAI)
  • WORM_ARESES.C (PCCIL)
  • Trojan.Agent.bhl (Rising)
  • Trojan.Agent.bhn (Rising)
  • Worm.Mail.Scano.h (Rising)
  • Email-Worm.Win32.Scano.b [AVP] (FSecure)
  • WORM_ARESES.C (TrendMicro)
  • WORM_ARESES.GEN1 (TrendMicro)
  • Trojan-Dropper.Multi.Gen (Sunbelt)
  • Trojan.Win32.Generic!BT (Sunbelt)
  • Trojan.DR.Agent.BGY (VirusBusterBeta)
  • Trojan.DR.Agent.BHA (VirusBusterBeta)
  • Trojan.DR.Agent.BDA (VirusBusterBeta)

© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.

kaspersky.com

Products

eStore

Threats

Downloads

Support

Partners

About Us

Search

securelist.com

Threats

Analysis

Blog

Descriptions

Glossary

RSS feeds

Contacts

Search