Internet threat level: 1
Home→Descriptions→Email-Worm.Win32.Zhelatin.ch
Email-Worm.Win32.Zhelatin.ch
| Detected | Apr 27 2007 11:33 GMT |
| Released | Aug 04 2007 11:27 GMT |
| Published | Apr 27 2007 11:33 GMT |
Payload
Removal instructions
Technical Details
This email worm is a Windows PE EXE file. The worm components vary from 7KB to 93KB in size.
Installation
When launched, the worm copies its executable file to the Windows system directory:
%System%\lnwin.exe
In order to ensure that the worm is launched automatically each time Windows is restarted, it adds a link to its executable file to the system registry:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "lnwin.exe" = "%System%\lnwin.exe"
The worm also extracts the following files from its body:
- %System%\sporder.dll – this file is 45 056 bytes in size.
- %System%\rsvp32_2.dll – this file is 8 704 bytes in size.
Payload
The worm executes a command which will allows the worm component network activity:
netsh firewall set allowedprogram %System%\lnwin.exe enable
The worm also creates a file and stores its configuration in this file:
C:\peers.ini
Every ten minutes the worm will open the following link:
http://209.123.8.***/files/ctr.php
The worm contacts the following sites belonging to the remote malicious user:
***n.voxgratia.org ***n.ekiga.net ***n.xten.com
The worm gets spam content from these sites, and will send spam to a list of addresses which it also downloads from these sites.
Removal instructions
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
- Reboot the computer in Safe Mode (at the start of the boot sequence, press and hold F8, then choose Safe Mode from the Windows boot menu).
- Delete the original worm file (the location will depend on how the program originally penetrated the victim machine).
- Delete the following system registry key parameter:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "lnwin.exe" = "%System%\lnwin.exe"
- Delete the following files:
%System%\lnwin.exe %System%\rsvp32_2.dll %System%\sporder.dll
- Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
Email-Worms spread via email. The worm sends a copy of itself as an attachment to an email message or a link to its file on a network resource (e.g. a URL to an infected file on a compromised website or a hacker-owned website).
In the first case, the worm code activates when the infected attachment is opened (launched). In the second case, the code is activated when the link to the infected file is opened. In both case, the result is the same: the worm code is activated.
Email-Worms use a range of methods to send infected emails. The most common are:
- using a direct connection to a SMTP server using the email directory built into the worm’s code
- using MS Outlook services
- using Windows MAPI functions.
Email-Worms use a number of different sources to find email addresses to which infected emails will be sent:
- the address book in MS Outlook
- a WAB address database
- .txt files stored on the hard drive: the worm can identify which strings in text files are email addresses
- emails in the inbox (some Email-Worms even “reply” to emails found in the inbox)
Many Email-Worms use more than one of the sources listed above. There are also other sources of email addresses, such as address books associated with web-based email services.
Email-Worm.
- HackTool.
Win32. Zhelatin. ch (Kaspersky Lab) - P2P-Worm.
Win32. Zhelatin. ch (Kaspersky Lab) - Trojan:
Downloader-ASH. gen (McAfee) - Mal/EncPk-E (Sophos)
- Trojan.
Small-1580 (ClamAV) - Adware/Adsmart (Panda)
- W32/EmailWorm.
HAI (FPROT) - Trojan:
Win32/Tibs. CB (MS(OneCare)) - Trojan.
Packed. 72 (DrWeb) - Win32/Nuwar.
Gen worm (Nod32) - Trojan.
Peed. Gen (BitDef7) - Trojan.
Tibs. Gen!Pac. 86 (VirusBuster) - Win32:
Zhelatin-TJ [Wrm] (AVAST) - Email-Worm.
Win32. Zhelatin. ch (Ikarus) - Downloader.
Tibs. 5. BD (AVG) - Trojan.
Packed. 13 (NAV) - NseCheckFile2() returned 0x00010018 (Norman)
- Downloader-ASH.
gen (NAI) - TROJ_MULP.
BG (PCCIL) - Worm.
Mail. Zhelatin. xw (Rising) - TROJ_MULP.
BG (TrendMicro) - Trojan.
Tibs. Gen!Pac. 86 (VirusBusterBeta)
© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.