English
Log in
Search
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

HomeDescriptionsNet-Worm.VBS.KillAV.iq

Net-Worm.VBS.KillAV.iq

Detected Dec 24 2006 17:01 GMT
Released Dec 24 2006 17:01 GMT
Published May 30 2007 07:15 GMT

Technical Details
Payload
Removal instructions

Technical Details

This worm spreads via the Internet as an attachment to infected messages. The attachment does not contain a copy of the worm, but a component which downloads other malicious programs via the Internet.

Infected messages will be sent to all email addresses harvested from the victim machine.

The worm itself is a Windows PE EXE file. The size of infected files may vary from 63KB to 120KB.

Installation

When launched, the worm causes the following message to be displayed:

The worm them copies its executable file to the Windows system directory as "pgpswuau.exe": 

%System%\pgpswuau.exe

It creates the following files:

%System%\pgpswuau.dll

This file is 98 304 bytes in size.

The worm also creates the following system registry key:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pgpswuau]
"DllName" = "%System%\pgpswuau.dll"
"Startup" = "WlxStartupEvent"cd
"Shutdown" = "WlxShutdownEvent"
"Impersonate" = dword:00000000
"Asynchronous" = dword:00000000

Propagation via email

The worm harvests email addresses from the Windows address books.

The worm uses its own SMTP engine to send infected messages.

Example of an infected message

The attachment contains a component of the worm which is capable of downloading other malicious programs via the Internet.

Attachment name

Update-KB<random four digit number> -x86.exe

Payload

Payload of main component

The worm is able to terminate a range of processes, and to delete services related to antivirus solutions and firewalls.

The worm’s main executable file will download other malicious programs from the remote malicious user’s site and install them to the victim machine.

Payload of component mailed as attachment

This component will be sent by the worm's main component. It will download other files from the Internet without the knowledge or consent of the user.

This component downloads a file from the following link:

http://xuyhadesunkadwi.com/***32.exe

At the time of writing, the most recent version of the worm's executable file was located on this link.

The downloaded file will be saved to the Windows temporary directory under a random name. The file will then be launched for execution.


Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

  1. Use Task Manager to terminate the backdoor process.
  2. Delete the original worm file (the location will depend on how the program originally penetrated the victim machine).
  3. Manually delete the files listed below from the Windows system directory: 
    %System%\pgpswuau.dll
%System%\pgpswuau.exe
  4. Delete the following parameter from the system registry (see What is a system registry and how do I use it for details on how to edit the registry). 
    [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pgpswuau]
  5. Delete all infected messages from all mail folders.
  6. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).


Print
Bookmark and Share
Share
Viruses and worms
Net-Worm

Net-Worms propagate via computer networks. The distinguishing feature of this type of worm is that it does not require user action in order to spread.

This type of worm usually searches for critical vulnerabilities in software running on networked computers. In order to infect the computers on the network, the worm sends a specially crafted network packet (called an exploit) and as a result the worm code (or part of the worm code) penetrates the victim computer and activates. Sometimes the network packet only contains the part of the worm code which will download and run a file containing the main worm module. Some network worms use several exploits simultaneously to spread, thus increasing the speed at which they find victims.


Aliases

Net-Worm.VBS.KillAV.iq (Kaspersky Lab) is also known as:

  • Packed.Win32.Feebs.iq (Kaspersky Lab)
  • Email-Worm.Win32.Warezov.iq (Kaspersky Lab)
  • Virus: W32/Stration@MM!a (McAfee)
  • W32/KillAV.gen1 (FPROT)
  • Worm:Win32/Stration (MS(OneCare))
  • Win32.HLLM.Limar (DrWeb)
  • Win32.Warezov.IQ@mm (BitDef7)
  • Win32:Warezov-AXN [Wrm] (AVAST)
  • Email-Worm.Win32.Warezov (Ikarus)
  • I-Worm/Stration.BWS (AVG)
  • TR/Crypt.ULPM.Gen (AVIRA)
  • SandBox found 'W32/Malware'. Infection details: [ General information ] (Norman)
  • Worm.Mail.Warezov.cj (Rising)
  • Email-Worm.Win32.Warezov.iq [AVP] (FSecure)

© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.

kaspersky.com

Products

eStore

Threats

Downloads

Support

Partners

About Us

Search

securelist.com

Threats

Analysis

Blog

Descriptions

Glossary

RSS feeds

Contacts

Search