Internet threat level: 1
Home→Descriptions→Email-Worm.Win32.Warezov.mx
Email-Worm.Win32.Warezov.mx
| Detected | Apr 10 2007 15:03 GMT |
| Released | May 24 2007 23:47 GMT |
| Published | Apr 10 2007 15:03 GMT |
Payload
Removal instructions
Technical Details
This worm is a Windows PE EXE file, which is 89,116 bytes in size, and packed using Upack. The unpacked file is approximately 237KB in size.
Installation
When launching, the worm creates the following files:
%System%\msjidpmo.dll %System%\msssmsda.dll %System%\msssmsda.exe
It also creates the following system registry key:
"DllName" = "%System%\msssmsda.dll"
"Startup" = "WlxStartupEvent"
"Shutdown" = "WlxShutdownEvent"
"Impersonate" = dword:00000000
"Asynchronous" = dword:00000000
Propagation
This worm uses ICQ to spread. The link below is sent with the message "Try it".
http://***.cuhasefunjinksa.com/1/6696/
When the user opens the link in the web browser, s/he will be asked if he wants to download and launch a file called "flash.exe" which actually contains the latest version of the worm.
Payload
The worm injects its component %System%\msjidpmo.dll into the following processes:
services.exe zlclient.exe iexplore.exe mpftray.exe svchost.exe outpost.exe firefox.exe ccapp.exe zapro.exe opera.exe tsmc.exe
The worm will disable antivirus and firewall applications on the victim machine.
It may also download other malicious programs from the remote malicious user’s site and launch them for execution on the victim machine.
Removal instructions
An urgent antivirus database update to detect this program was released.
If you are using Kaspersky Anti-Virus 6.0, enable Proactive Protection, and this malicious program will be detected without the need to update antivirus databases.
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
- Use Taske Manager to delete the process associated with the original worm file.
- Delete the original worm file (its location will depend on how it originally penetrated the computer).
- Manually delete the following files from the Windows system directory:
%System%\msjidpmo.dll %System%\msssmsda.dll %System%\msssmsda.exe
- Delete the following registry key:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\msssmsda]
- Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
Email-Worms spread via email. The worm sends a copy of itself as an attachment to an email message or a link to its file on a network resource (e.g. a URL to an infected file on a compromised website or a hacker-owned website).
In the first case, the worm code activates when the infected attachment is opened (launched). In the second case, the code is activated when the link to the infected file is opened. In both case, the result is the same: the worm code is activated.
Email-Worms use a range of methods to send infected emails. The most common are:
- using a direct connection to a SMTP server using the email directory built into the worm’s code
- using MS Outlook services
- using Windows MAPI functions.
Email-Worms use a number of different sources to find email addresses to which infected emails will be sent:
- the address book in MS Outlook
- a WAB address database
- .txt files stored on the hard drive: the worm can identify which strings in text files are email addresses
- emails in the inbox (some Email-Worms even “reply” to emails found in the inbox)
Many Email-Worms use more than one of the sources listed above. There are also other sources of email addresses, such as address books associated with web-based email services.
Email-Worm.
- Virus:
W32/Stration@MM (McAfee) - W32/Strati-Gen (Sophos)
- Worm.
Stration. AEA-8 (ClamAV) - W32/Spamta.
XI. worm (Panda) - W32/EmailWorm.
KJA (FPROT) - Worm:
Win32/Stration. ST (MS(OneCare)) - Win32.
HLLM. Limar (DrWeb) - Win32/Stration.
ZD worm (Nod32) - Win32.
Warezov. 1@mm (BitDef7) - I-Worm.
Opnis. BVA (VirusBuster) - Win32:
Warezov-CMW [Wrm] (AVAST) - Win32.
Warezov (Ikarus) - I-Worm/Stration.
DBV (AVG) - WORM/Stration.
Gen (AVIRA) - W32.
Stration@mm (NAV) - W32/Stration.
FIV (Norman) - W32/Stration@MM (NAI)
- WORM_STRAT.
IP (PCCIL) - Worm.
Mail. Warezov. cj (Rising) - Email-Worm.
Win32. Warezov. mx [AVP] (FSecure) - Trojan.
Win32. Generic!BT (Sunbelt) - I-Worm.
Opnis. BVA (VirusBusterBeta)
© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.