Internet threat level: 1
Home→Descriptions→Email-Worm.Win32.Warezov.lg
Email-Worm.Win32.Warezov.lg
| Detected | Feb 17 2007 10:31 GMT |
| Released | Feb 17 2007 10:31 GMT |
| Published | Mar 02 2007 06:37 GMT |
Payload
Removal instructions
Technical Details
This modification of Warezov is a component which is used by other variants in this family. It is a Windows DLL file. It is 364,544 bytes in size.
Installation
When loaded, the file will check which process it is loaded into. If the process is called "winlogon.exe", the following files will be extracted to the Windows system directory:
%System%\wmvprf32.dll %System%\wmvstat.dll %System%\confwmv.dll %System%\wmvconf.exe
This files will be detected by Kaspersky Anti-Virus as other modifications of Warezov: Email-Worm.Win32.Warezov.lf, Email-Worm.Win32.Warezov.lg and Email-Worm.Win32.Warezov.kz.
To ensure that its components are loaded when Windows is rebooted, the worm adds a link to them in the system registry key:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs" = "confwmv.dll wmvstat.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wmvdiag" = "<path and name of worm executable file>"
Payload
The worm scans open windows for fields where passwords will be entered. It will harvest data entered in the fields.
The worm also disables system security components by simulating a click on ‘OK’ in the relevant dialogue boxes.
The worm also creates an SMTP proxy server on a random TCP port, and sends the IP address of the victim machine and the number of the open port to the remote malicious user’s site. It also sends the information which it harvested to the site.
Removal instructions
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
- Delete the original worm file (the location will depend on how the program originally penetrated the victim machine).
- Delete the following files:
%System%\wmvprf32.dll %System%\wmvstat.dll %System%\confwmv.dll %System%\wmvconf.exe
- Delete the following system registry key parameter:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wmvdiag" = "<path and name of worm executable file>" - Delete the strings "confwmv.dll" and "wmvstat.dll" from the following system registry key parameter:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs" - Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
Email-Worms spread via email. The worm sends a copy of itself as an attachment to an email message or a link to its file on a network resource (e.g. a URL to an infected file on a compromised website or a hacker-owned website).
In the first case, the worm code activates when the infected attachment is opened (launched). In the second case, the code is activated when the link to the infected file is opened. In both case, the result is the same: the worm code is activated.
Email-Worms use a range of methods to send infected emails. The most common are:
- using a direct connection to a SMTP server using the email directory built into the worm’s code
- using MS Outlook services
- using Windows MAPI functions.
Email-Worms use a number of different sources to find email addresses to which infected emails will be sent:
- the address book in MS Outlook
- a WAB address database
- .txt files stored on the hard drive: the worm can identify which strings in text files are email addresses
- emails in the inbox (some Email-Worms even “reply” to emails found in the inbox)
Many Email-Worms use more than one of the sources listed above. There are also other sources of email addresses, such as address books associated with web-based email services.
Email-Worm.
- Mal/Generic-A (Sophos)
- Worm.
Stration. AEC-1 (ClamAV) - W32/Spamta.
QO. worm (Panda) - Trojan:
Win32/Stration. F!dll (MS(OneCare)) - Win32.
HLLM. Limar (DrWeb) - Win32/Stration.
YD (Nod32) - Win32.
Warezov. EM@mm (BitDef7) - Worm.
Warezov. H (VirusBuster) - Win32:
Warezov-BGM (AVAST) - Email-Worm.
Win32. Warezov. dq (Ikarus) - I-Worm/Stration.
CBY (AVG) - WORM/Stration.
BL. 3 (AVIRA) - W32.
Stration@mm (NAV) - WORM_STRATION.
CE (PCCIL) - Worm.
Mail. Win32. Warezov. lg (Rising)
© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.