Internet threat level: 1
Home→Descriptions→Email-Worm.Win32.Warezov.jv
Email-Worm.Win32.Warezov.jv
| Detected | Jan 16 2007 01:35 GMT |
| Released | Jan 16 2007 01:35 GMT |
| Published | Jan 17 2007 08:28 GMT |
Payload
Removal instructions
Technical Details
This worm spreads via the Internet as an attachment to infected messages. The attachment does not contain a copy of the worm, but a component which will download the latest version of the worm via the Internet from a variety of sites.
The worm is a Windows PE EXE file 101,083 bytes in size. It is packed using UPX. The unpacked file is approximately 376KB in size.
Installation
When launched, the worm copies its executable file to the Windows directory as “tpup.exe”:
%WinDir%\tpup.exe
and then launches it with the 's' option.
It extracts the following file from its body:
%System%\e1.dll.
This file is 6144 bytes in size.
In order to ensure that its components are loaded the next time Windows is started, the worm creates the following parameters in the system registry:
tpup=%WinDir%\tpup.exe s
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs=<name of random system library> e1.dll
Propagation via email
The worm harvests addresses from the outlook address book and from files on the user's hard disk.
Harvested addresses will be saved to a file with the following name:
Payload
Propagation via email The worm harvests addresses from the outlook address book and from files on the user's hard disk. Harvested addresses will be saved to a file with the following name: %WinDir%\tpup.waxPayload
The worm sends messages which contain a Trojan downloader in the attachment to email addresses harvested from the victim machine. This Trojan downloader will download the worm's main executable file from the Internet.
Message subject (chosen at random from the list below):
- Error
- Good Day
- hello
- Mail Delivery System
- Mail server report
- Mail Transaction Failed
- picture
- Server Report
- Status
- test
Message body (chosen at random from the list below):
- Mail transaction failed. Partial message is available.
- The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
- The message contains Unicode characters and has been sent as a binary attachment.
- Mail server report.
Our firewall determined the e-mails containing worm copies are being sent from your computer.
Nowadays it happens from many computers, because this is a new virus type (Network Worms).
Using the new bug in the Windows, these viruses infect the computer unnoticeably. After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail addresses
Please install updates for worm elimination and your computer restoring.
Best regards,
Customers support service
Attachment name (will contain one of the following strings):
- body
- data
- doc
- docs
- document
- file
- message
- readme
- test
- text
- Update-KB<random numbers>-x86
The attachement will have a .zip, a “doc.exe” or a “txt.exe” extension, which will have a large number of spaces in front of it.
The worm creates the following files:
%WinDir%\tpup.s
The worm component is the following file:
The worm code will be injected into randomly chosen processes on the victim machine. It is designed to disable antivirus protection.
The worm component attempts to terminate antivirus and personal firewall processes and to stop their services.
The worm also downloads a list of links to files on the Internet. It will then download files from these links, save them to the Windows temporary directory, and launch them.
Removal instructions
Urgent updates containing detection for this program have been released.
If you are using Kaspersky Anti-Virus 6.0, enable Proactive Protection and the solution will be able to detect and neutralize new variants without the need to update your antivirus databases.
If you do not have an up to date antivirus on your computer, and have been infected by this malicious program, you should follow the instructions below:
- Use Task Manager to terminate the worm process. (It may be callled tpup.exe).
- Delete the original worm file.
- Delete the following files:
%WinDir%\tpup.exe %WinDir%\tpup.dat %WinDir%\tpup.s %WinDir%\tpup.wax %System%\e1.dll
- Delete the following parameters from the system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
tpup=%WinDir%\tpup.exe s[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs=<name of random system library>e1.dll - Update your antivirus databases and perform a full scan of your computer (download a trial version of Kaspersky Anti-Virus.).
Email-Worms spread via email. The worm sends a copy of itself as an attachment to an email message or a link to its file on a network resource (e.g. a URL to an infected file on a compromised website or a hacker-owned website).
In the first case, the worm code activates when the infected attachment is opened (launched). In the second case, the code is activated when the link to the infected file is opened. In both case, the result is the same: the worm code is activated.
Email-Worms use a range of methods to send infected emails. The most common are:
- using a direct connection to a SMTP server using the email directory built into the worm’s code
- using MS Outlook services
- using Windows MAPI functions.
Email-Worms use a number of different sources to find email addresses to which infected emails will be sent:
- the address book in MS Outlook
- a WAB address database
- .txt files stored on the hard drive: the worm can identify which strings in text files are email addresses
- emails in the inbox (some Email-Worms even “reply” to emails found in the inbox)
Many Email-Worms use more than one of the sources listed above. There are also other sources of email addresses, such as address books associated with web-based email services.
Email-Worm.
- W32/Spamta.
QO. worm (Panda) - Win32.
HLLM. Limar (DrWeb)
© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.