English

Log in

Search

The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service.

Internet threat level: 1

Read us on

Home→Descriptions→Email-Worm.Win32.Warezov.mo

Email-Worm.Win32.Warezov.mo

Detected	May 26 2007 06:41 GMT
Released	May 26 2007 06:41 GMT
Published	Sep 18 2007 13:52 GMT

Technical Details
Payload
Removal instructions

Technical Details

This malicious program is a worm. It was originally mass mailed. It is a Windows PE EXE file. The worm components vary in size from 102KB to 165KB.

Installation

When launching, the worm extracts the following files from its body to the Windows system directory:

%System%\diagisr.dll
%System%\isrprf32.dll
%System%\isrprov.exe
%System%\117X4sHrH5C.dll

In order to ensure that the worm is launched automatically when the system is rebooted, the worm adds a link to its executable file to the system registry:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"himem.exe" = "<path to executable worm file> -s"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs" = "%System%\diagisr.dll"

Payload

The worm injects its component, %System%\diagisr.dll into the following processes:

iexplore.exe
services.exe
firefox.exe
opera.exe
zlclient.exe
zapro.exe
smc.exe
ccapp.exe
outpost.exe
mpftray.exe

This component then applies special procedures for evading security software to each of the processes. These procedures vary from process to process, but are all based on imitating the user clicking on a button to allow access to a network or to allow other suspicious activity.

The worm also attempts to disable services relating to the following security software:

Zone Labs Zone Alarm
Sygate Personal Firewall
Symantec Internet Security
Agnitum Outpost Firewall
Kaspersky Anti-Virus Personal

The main worm component harvests contact information from the Microsoft Outlook address book and from the Yahoo Messenger contact list.

The harvested data will be uploaded to one of the remote malicious user’s site:

****kerunskdarun.com
****dinkionkderunjsa.com
****linkdeshkina.com
****ionkertunhasderun.com
****ionkdesunjafunhde.com
****tunjinkderunhasdefun.com
****dunkinmdespish.com
****dinjertiona.com
****erunkiondemfunhas.com
****uiceshkin.com
****etionkasde.com
****onlderunjadesunjerpas.com
****sariomdesin.com
****onjderinjdaserinjde.com
****onmdefunshjin.com
****ionkdesunjadewionsa.com
****defunjdesa.com
****defunhsadefuinn.com
****dasetiondegnas.com
****onkdesunjadefinpiomi.com
****onkdaerinjdefunhsa.com
****onkadesunjionkasde.com
****ndefunhasetrionde.com
****jinpiontunyunde.com
****runjionkdefunhasde.com
****suntiondeunwaserun.com
****sunjiokderunjdaserin.com
****sinlinmaspion.com
****funtionkderunhsa.com
****derionjdepisadrin.com
****dnegunhfaxesun.com
****djeinkdadeisna.com
****nsadehungans.com
****esinjertiopasde.com
****duewnahsuewaa.com
****nmdefuhawuinde.com
****kirationdefun.com
****unkionmasderunhas.com
****ionkdrunjdapolinkdun.com
****npasdinkerinjjas.com
****esunjionderunshishu.com

Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

Use Task Manager to terminate the backdoor process.
Delete the original worm file (the location will depend on how the program originally penetrated the victim machine).
Delete the following parameter from the system registry (see What is a system registry and how do I use it for details on how to edit the registry).
```
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"himem.exe" = "<path to executable worm file> -s"
```
Revert the following system registry key parameter:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs" = "%System%\diagisr.dll"

to the original value:

"AppInit_DLLs" = " "
Delete all infected messages from all mail folders.
Reboot the computer.
Delete the following files:
%System%\diagisr.dll

%System%\isrprf32.dll

%System%\isrprov.exe

%System%\117X4sHrH5C.dll
Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).

Print

Share

Malicious programs

Viruses and worms

Email-Worm

Email-Worms spread via email. The worm sends a copy of itself as an attachment to an email message or a link to its file on a network resource (e.g. a URL to an infected file on a compromised website or a hacker-owned website).

In the first case, the worm code activates when the infected attachment is opened (launched). In the second case, the code is activated when the link to the infected file is opened. In both case, the result is the same: the worm code is activated.

Email-Worms use a range of methods to send infected emails. The most common are:

using a direct connection to a SMTP server using the email directory built into the worm’s code
using MS Outlook services
using Windows MAPI functions.

Email-Worms use a number of different sources to find email addresses to which infected emails will be sent:

the address book in MS Outlook
a WAB address database
.txt files stored on the hard drive: the worm can identify which strings in text files are email addresses
emails in the inbox (some Email-Worms even “reply” to emails found in the inbox)

Many Email-Worms use more than one of the sources listed above. There are also other sources of email addresses, such as address books associated with web-based email services.

Other versions

Email-Worm.Win32.Warezov.bw

Email-Worm.Win32.Warezov.do

Email-Worm.Win32.Warezov.et

Email-Worm.Win32.Warezov.ex

Email-Worm.Win32.Warezov.jv

Email-Worm.Win32.Warezov.jx

Email-Worm.Win32.Warezov.la

Email-Worm.Win32.Warezov.lb

Email-Worm.Win32.Warezov.lg

Email-Worm.Win32.Warezov.mx

Email-Worm.Win32.Warezov.nd