English
Log in
Search
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

HomeDescriptionsEmail-Worm.Win32.Scano.e

Email-Worm.Win32.Scano.e

Detected Apr 20 2006 21:33 GMT
Released Apr 20 2006 21:33 GMT
Published Apr 27 2006 11:14 GMT

Technical Details
Removal instructions

Technical Details

This worm spreads via the Internet as an attachment to infected emails. It sends itself to email addresses harvested from the victim machine. The attachment to infected messages does not contain a copy of the worm, but an HTA component, which contains the worm's executable file.

The worm itself is a Windows PE EXE file approximately 18KB in size.

Installation

When installing, the worm copies itself to the Windows root directory as csrss.exe:

%Windir%\csrss.exe

The worm then creates the following entries in the Windows system registry:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe]
 "Debugger"="%Windir%\csrss.exe"

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]  "Application"="%Windir\csrss.exe"

Propagation via email

The worm harvests addresses from the MS Windows address books and also from files with the extensions listed below:

adb
asp
cfg
cgi
dbx
dhtm
dhtml
eml
htm
html
jsp
mbx
mdx
mht
mmf
mra
msg
nch
ods
oft
php
pl
sht
shtm
stm
tbb
txt
uin
wab
wsh
xls
xml

The worm does not harvest addresses which contain the following strings:

0
2003
2004
2005
2006
---
.0
.00
.1
.2
.3
.4
.5
.6
.7
.8
.9
.gif
.qmail
@avp.
@example.
@foo
@iana
@messagelab
@microsoft
@subscribe
abuse
admin
anyone@
bsd
bugs@
cafee
certific
contract@
feste
free-av
f-secur
gold-certs@
google
help@
icrosoft
info@
kasp
linux
listserv
local
Mailer-Daemon@
news
nobody@
noone@
noreply
ntivi
panda
pgp
postmaster@
rating@
root@
samples
sopho
spam
spm111@
support
torvalds@
unix
update
winrar
winzip

The worm attempts to establish a direct connection to the recipient's SMTP in order to send infected messages.

Infected messages

Examples:

Message subject

The message subject will be chosen at random from a list of 14 possible variants, all of which are in Russian.

Message body

The message body will be chosen at random from a list of 14 variants, all of which are in Russian.

Attachment name

The attachment does not contain a copy of the worm, but a polymorphic HTA component, which contains the worm's executable file. When the attached file is launched, it will create a file called ntldr.exe in the C:\ root directory, which will then be launched for execution. It is this file which is a copy of the worm.

Attachment name

The attachment name is chosen at random from a list of 9 variants, all of which are in Russian.

Payload

The worm connects to the following servers in order to download other files without the user's knowledge or consent:

http://207.**.250.119
http://84.**.161.192
http://85.249.**.35

Removal instructions

  1. Reboot the computer in Safe Mode (at the beginning of the boot sequence, press and hold F8, then choose Safe Mode from the Windows boot menu).
  2. Delete the following records from the system registry:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe]
     "Debugger"="%Windir%\csrss.exe"

    [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
     "Application"="%Windir\csrss.exe"

  3. Delete the following files: 
    %Windir%\csrss.exe
C:\ntldr.exe
  4. Reboot the computer as normal and check that you have deleted all infected messages from all mail folders.
  5. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).


Print
Bookmark and Share
Share
Viruses and worms
Email-Worm

Email-Worms spread via email. The worm sends a copy of itself as an attachment to an email message or a link to its file on a network resource (e.g. a URL to an infected file on a compromised website or a hacker-owned website).

In the first case, the worm code activates when the infected attachment is opened (launched). In the second case, the code is activated when the link to the infected file is opened. In both case, the result is the same: the worm code is activated.

Email-Worms use a range of methods to send infected emails. The most common are:

  • using a direct connection to a SMTP server using the email directory built into the worm’s code
  • using MS Outlook services
  • using Windows MAPI functions.

Email-Worms use a number of different sources to find email addresses to which infected emails will be sent:

  • the address book in MS Outlook
  • a WAB address database
  • .txt files stored on the hard drive: the worm can identify which strings in text files are email addresses
  • emails in the inbox (some Email-Worms even “reply” to emails found in the inbox)

Many Email-Worms use more than one of the sources listed above. There are also other sources of email addresses, such as address books associated with web-based email services.


Other versions
Email-Worm.Win32.Scano.b
Email-Worm.Win32.Scano.l

Aliases

Email-Worm.Win32.Scano.e (Kaspersky Lab) is also known as:

  • W32/Areses.H.worm (Panda)

© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.

kaspersky.com

Products

eStore

Threats

Downloads

Support

Partners

About Us

Search

securelist.com

Threats

Analysis

Blog

Descriptions

Glossary

RSS feeds

Contacts

Search