Internet threat level: 1
Home→Descriptions→Email-Worm.Win32.Warezov.bw
Email-Worm.Win32.Warezov.bw
| Detected | Oct 03 2006 11:44 GMT |
| Released | Apr 11 2007 08:42 GMT |
| Published | Oct 03 2006 11:44 GMT |
Payload
Removal instructions
Technical Details
This worm spreads via the Internet as an attachment to infected messages. It sends itself to email addresses harvested from the victim machine.
The worm itself is a Windows PE EXE file 150 557 bytes in size, packed using UPack. The unpacked file is approximately 540KB in size.
Installation
Once launched, the worm causes the following message to be displayed:
When installing, the worm copies itself to the Windows root directory as “serv.exe”:
%Windir%\serv.exe
It also creates the files listed below in the Windows root directory:
%System%\e1.dll (8192 bytes)
%System%\regaufat.dll (24576 bytes)
%System%\wupstlnt.dll (28672 bytes)
%Windir%\serv.dll (7680 bytes)
%Windir%\serv.s
%Windir%\serv.wax
The worm also creates the following entries in the system registry to ensure that the worm file is run each time Windows is rebooted on the victim machine:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"serv"="%Windir%\serv.exe s"
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="wupstlnt.dll e1.dll"
Propagation via email
The worm sends itself to email addresses harvested from the MS Windows address books. It uses its own SMTP engine to send infected messages.
Infected messages
Example:
Message subject (chosen from the list below):
- Error
- Good Day
- hello
- Mail Delivery System
- Mail server report
- Mail Transaction Failed
- picture
- Server Report
- Status
Message body (chosen from the list below):
- Mail transaction failed. Partial message is available.
- The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
- The message contains Unicode characters and has been sent as a binary attachment.
Mail server report.
Our firewall determined the e-mails containing worm copies are being sent from your computer.
Nowadays it happens from many computers, because this is a new virus type (Network Worms).
Using the new bug in the Windows, these viruses infect the computer unnoticeably.
After the penetrating into the computer the virus harvests all the e-mail addresses
and sends the copies of itself to these e-mail addressesPlease install updates for worm elimination and your computer restoring.
Best regards,
Customers support service
Payload
The worm will terminate a range of antivirus and firewall applications.
It also contains a list of URLs, which it will check for the presence of files. If a file is placed on one of these URLs, the worm will download it to the victim machine and launch it for execution.
Removal instructions
Detection for this variant of Warezov has already been released in an urgent update for Kaspersky Anti-Virus databases.
If 'Proactive Protection' is enabled, Kaspersky Anti-Virus 6.0 is able to detect this malicious program without an update to the antivirus databases.
- Reboot the computer in Safe Mode (at the start of the boot sequence, press and hold F8, then choose ‘Safe Mode’ from the Windows boot menu. .
- Use Task Manager to search for the following process:
serv.ex
If such a process is found, terminate it. - Manually delete the following files from the Windows root and system directories:
%System%\e1.dll %System%\regaufat.dll %System%\wupstlnt.dll %System%\cssewmpd %Windir%\serv.dll %Windir%\serv.s %Windir%\serv.wax %Windir%\serv.exe
- Delete the following registry values:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"serv"="%Windir%\serv.exe s"[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="wupstlnt.dll e1.dll" - Reboot the computer as normal, and check that you have deleted all infected emails from all mail folders.
- Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus.)
Email-Worms spread via email. The worm sends a copy of itself as an attachment to an email message or a link to its file on a network resource (e.g. a URL to an infected file on a compromised website or a hacker-owned website).
In the first case, the worm code activates when the infected attachment is opened (launched). In the second case, the code is activated when the link to the infected file is opened. In both case, the result is the same: the worm code is activated.
Email-Worms use a range of methods to send infected emails. The most common are:
- using a direct connection to a SMTP server using the email directory built into the worm’s code
- using MS Outlook services
- using Windows MAPI functions.
Email-Worms use a number of different sources to find email addresses to which infected emails will be sent:
- the address book in MS Outlook
- a WAB address database
- .txt files stored on the hard drive: the worm can identify which strings in text files are email addresses
- emails in the inbox (some Email-Worms even “reply” to emails found in the inbox)
Many Email-Worms use more than one of the sources listed above. There are also other sources of email addresses, such as address books associated with web-based email services.
Email-Worm.
- Virus:
W32/Stration. dr (McAfee) - W32/Stratio-AO (Sophos)
- Worm.
Stration. WR (ClamAV) - W32/Spamta.
EB. worm (Panda) - W32/Warezov.
B. gen!Eldorado (FPROT) - Trojan:
Win32/Stration. KB (MS(OneCare)) - Win32.
HLLM. Limar. based (DrWeb) - Win32/Stration.
FM worm (Nod32) - Win32.
Worm. Stration. EX (BitDef7) - Win32:
Warezov-JA [Wrm] (AVAST) - Win32.
Warezov (Ikarus) - I-Worm/Stration.
FBQ (AVG) - WORM/Stration.
C (AVIRA) - W32.
Stration@mm (NAV) - W32/Stration.
gen@mm (Norman) - Worm.
Mail. Win32. Warezov. oq (Rising) - Mal_Strat-3 (TrendMicro)
© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.