Internet threat level: 1
Home→Descriptions→Email-Worm.Win32.Warezov.jx
Email-Worm.Win32.Warezov.jx
| Detected | Mar 03 2007 03:41 GMT |
| Released | Mar 03 2007 03:41 GMT |
| Published | Apr 10 2007 09:07 GMT |
Payload
Removal instructions
Technical Details
This modification of Warezov is a component which is used by other program versions in the same family.
The component is sent by the worm as an attachment to infected emails. It is a Windows PE EXE file, 16,609 bytes in size, packed using Upack. The unpacked file is approximately 94KB in size.
Payload
Examples of infected messages:
The main function of this component is to download and install the latest version of the Warezov worm to the victim machine.
When launching, Warezov.jx causes the following message to be displayed on the screen:
It then downloads a file from the following link:
http://www6.badesugerwakirpos.com/***/907/nt.exe
(At the moment of writing this link was not working.)
This file will be saved to the Windows temporary directory and launched for execution.
Removal instructions
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
- Use Task Manager to terminate the worm process.
- Delete the original worm file (its location will depend on how it originally penetrated the victim machine).
- Delete the contents of %Temp%.
- Delete all infected messages from all mail folders.
- Update your antivirus databases and perform a full scan of the victim machine (download a trial version of Kaspersky Anti-Virus).
Email-Worms spread via email. The worm sends a copy of itself as an attachment to an email message or a link to its file on a network resource (e.g. a URL to an infected file on a compromised website or a hacker-owned website).
In the first case, the worm code activates when the infected attachment is opened (launched). In the second case, the code is activated when the link to the infected file is opened. In both case, the result is the same: the worm code is activated.
Email-Worms use a range of methods to send infected emails. The most common are:
- using a direct connection to a SMTP server using the email directory built into the worm’s code
- using MS Outlook services
- using Windows MAPI functions.
Email-Worms use a number of different sources to find email addresses to which infected emails will be sent:
- the address book in MS Outlook
- a WAB address database
- .txt files stored on the hard drive: the worm can identify which strings in text files are email addresses
- emails in the inbox (some Email-Worms even “reply” to emails found in the inbox)
Many Email-Worms use more than one of the sources listed above. There are also other sources of email addresses, such as address books associated with web-based email services.
Email-Worm.
- Trojan-Downloader.
Win32. Agent. ber (Kaspersky Lab) - Mal/EncPk-BW (Sophos)
- W32/Spamta.
gen. worm (Panda) - W32/Warezov.
gen!W32DL (FPROT) - Worm:
Win32/Agent. AC (MS(OneCare)) - Win32.
HLLM. Limar. based (DrWeb) - Win32/Stration.
WL worm (Nod32) - Trojan.
Downloader. Warezov. B (BitDef7) - Win32:
Warezov-AQH [Wrm] (AVAST) - Win32.
Warezov (Ikarus) - I-Worm/Stration.
BYU (AVG) - TR/Unpacked.
Gen (AVIRA) - W32.
Stration@mm (NAV) - W32/Stration.
LBG (Norman) - Worm.
Mail. Win32. Warezov. pk (Rising) - TROJ_STRAT.
AW (TrendMicro)
© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.