Internet threat level: 1
Home→Descriptions→Email-Worm.Win32.Warezov.et
Email-Worm.Win32.Warezov.et
| Detected | Apr 20 2007 10:54 GMT |
| Released | Apr 20 2007 10:54 GMT |
| Published | Jun 21 2007 07:28 GMT |
Payload
Removal instructions
Technical Details
This worm spreads via the Internet as an attachment to infected messages. The attachment does not contain a copy of the worm, but a component which downloads other malicious programs via the Internet.
Infected messages will be sent to all email addresses harvested from the victim machine.
The worm itself is a Windows PE EXE file. The file is 64,512 bytes in size. It is packed using UPX. The unpacked file is approximately 150KB in size.
Installation
When launched, the worm copies its executable file to the Windows system directory as "mspradme.exe":
%System%\mspradme.exe
The worm also extracts DLL files from its body and saves them to the Windows system directory:
%System%\e1.dll %System%\vb5dmspo.dll
In order to ensure that the worm components are launched automatically when the system is rebooted, the worm creates the following paremters in the system registry startup key:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"mspradme" = "%System%\mspradme.exe"
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs" = "<name of random system library>
vb5dmspo.dll e1.dll"
Propagation via email
The worm harvests email addresses from the MS Outlook address books.
The worm uses its own SMTP engine to send infected messages.
Infected messages
Message subject (chosen at random from the list below)
The message is chosen at random from the list below:
Error Good Day hello Mail Delivery System Mail server report Mail Transaction Failed picture Server Report Status test
Message body (chosen at random from the list below)
The message is chosen at random from the list below:
Mail transaction failed. Partial message is available.
__________________________
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
__________________________
The message contains Unicode characters and has been sent as a binary attachment.
__________________________
Mail server report.
Our firewall determined the e-mails containing worm copies are being sent from your computer.
Nowadays it happens from many computers, because this is a new virus type (Network Worms).
Using the new bug in the Windows, these viruses infect the computer unnoticeably.
After the penetrating into the computer the virus harvests all the e-mail addresses
and sends the copies of itself to these e-mail addresses
Please install updates for worm elimination and your computer restoring.
Best regards,
Customers support service
Attachment name (chosen from the list below):
body data doc docs document file message readme test text Update-KB<random numbers>-x86
The attachment has a .zip or a txt.exe extension.
The attachment contains a component of the worm which is capable of downloading other malicious programs via the Internet.
Payload
The worm is able to terminate a range of processes, and to delete services related to antivirus solutions and firewalls.
The worm’s main executable file will download other malicious programs from the remote malicious user’s site and install them to the victim machine.
Removal instructions
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
- Use Task Manager to terminate the process associated with the original worm file.
- Delete the original worm file (the location will depend on how the program originally penetrated the victim machine).
- Manually delete the files listed below from the Windows system directory:
%System%\vb5dmspo.dll %System%\mspradme.exe %System%\e1.dll
- Delete the following system registry key parameters:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"mspradme" = "%System%\mspradme.exe"[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs" = "<name of random system library>
vb5dmspo.dll e1.dll" - Delete all infected messages from all mail folders.
- Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
Email-Worms spread via email. The worm sends a copy of itself as an attachment to an email message or a link to its file on a network resource (e.g. a URL to an infected file on a compromised website or a hacker-owned website).
In the first case, the worm code activates when the infected attachment is opened (launched). In the second case, the code is activated when the link to the infected file is opened. In both case, the result is the same: the worm code is activated.
Email-Worms use a range of methods to send infected emails. The most common are:
- using a direct connection to a SMTP server using the email directory built into the worm’s code
- using MS Outlook services
- using Windows MAPI functions.
Email-Worms use a number of different sources to find email addresses to which infected emails will be sent:
- the address book in MS Outlook
- a WAB address database
- .txt files stored on the hard drive: the worm can identify which strings in text files are email addresses
- emails in the inbox (some Email-Worms even “reply” to emails found in the inbox)
Many Email-Worms use more than one of the sources listed above. There are also other sources of email addresses, such as address books associated with web-based email services.
Email-Worm.
- Net-Worm.
VBS. Delf. et (Kaspersky Lab) - Backdoor.
Win32. Warezov. et (Kaspersky Lab) - Virus:
W32/Stration. gen. dldr (McAfee) - W32/Stratio-BF (Sophos)
- Worm.
Stration. YY (ClamAV) - W32/Warezov.
gen3!W32DL (FPROT) - TrojanDownloader:
Win32/Stration. A (MS(OneCare)) - Win32.
HLLM. Limar. based (DrWeb) - Win32/Stration worm (Nod32)
- Win32.
Warezov. 1. Gen@mm (BitDef7) - Trojan.
Opnis. Gen!Pac. 45 (VirusBuster) - Win32:
Warezov-MF [Wrm] (AVAST) - Email-Worm.
Win32. Warezov (Ikarus) - I-Worm/Stration (AVG)
- TR/Dldr.
Stration. D (AVIRA) - W32.
Stration@mm (NAV) - Worm.
Mail. Warezov. eb (Rising) - TROJ_STRAT.
EQ (TrendMicro)
© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.