Internet threat level: 1
Home→Descriptions→Email-Worm.Win32.Warezov.oa
Email-Worm.Win32.Warezov.oa
| Detected | Jun 01 2007 12:43 GMT |
| Released | Jun 13 2007 13:31 GMT |
| Published | Jun 01 2007 12:43 GMT |
Payload
Removal instructions
Technical Details
This worm spreads via the Internet as an attachment to infected messages. The attachment does not contain a copy of the worm, but a component which downloads other malicious programs via the Internet.
Infected messages will be sent to all email addresses harvested from the victim machine.
The worm itself is a Windows PE EXE file. The size of infected files may vary from 10KB to 27KB.
Installation
When launched, the worm causes the following message to be displayed:
The worm them copies its executable file to the Windows system directory as "shdowsht.exe":
It creates the following file (this file is 114 688 bytes in size):
The worm also creates the following system registry key:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\shdowsht] "DllName" = "%System%\shdowsht.dll" "Startup" = "WlxStartupEvent" "Shutdown" = "WlxShutdownEvent" "Impersonate" = dword:00000000 "Asynchronous" = dword:00000000
Propagation via email
The worm harvests email addresses from the Windows address books.
The worm uses its own SMTP engine to send infected messages.
Example of an infected message:
The attachment contains a component of the worm which is capable of downloading other malicious programs via the Internet. Attachment name:
Update-KB<random four digit number>-x86.exe
Payload
Payload of main component
The worm is able to terminate a range of processes, and to delete services related to antivirus solutions and firewalls.
The worm’s main executable file will download other malicious programs from the remote malicious user’s site and install them to the victim machine.
The worm will search all files on the hard disk for email addresses, and send them to the remote malicious user's site.
Payload of component mailed as attachment
This component will be sent by the worm's main component. It will download other files from the Internet without the knowledge or consent of the user.
This component downloads a file from the following link:
http://xuyhadesunkadwi.com/***32.exe
At the moment of writing, the most recent version of the worm's executable file was located on this link.
The downloaded file will be saved to the Windows temporary directory under a random name. The file will then be launched for execution.
Removal instructions
Detection. Detection for this version of the worm was added to the Kaspersky Anti-Virus databases as an urgent update.
If you have Kaspersky Anti-Virus 6.0, and Proactive Protection is enabled, this malicious program will be detected without the need to update antivirus databases.
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
- Use Task Manager to terminate the backdoor process.
- Delete the original worm file (the location will depend on how the program originally penetrated the victim machine).
- Manually delete the files listed below from the Windows system directory:
- Delete the following parameter from the system registry (see What is a system registry and how do I use it for details on how to edit the registry):
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\shdowsht]
- Delete all infected messages from all mail folders.
- Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
- Delete the following parameter from the system registry (see What is a system registry and how do I use it for details on how to edit the registry):
Email-Worms spread via email. The worm sends a copy of itself as an attachment to an email message or a link to its file on a network resource (e.g. a URL to an infected file on a compromised website or a hacker-owned website).
In the first case, the worm code activates when the infected attachment is opened (launched). In the second case, the code is activated when the link to the infected file is opened. In both case, the result is the same: the worm code is activated.
Email-Worms use a range of methods to send infected emails. The most common are:
- using a direct connection to a SMTP server using the email directory built into the worm’s code
- using MS Outlook services
- using Windows MAPI functions.
Email-Worms use a number of different sources to find email addresses to which infected emails will be sent:
- the address book in MS Outlook
- a WAB address database
- .txt files stored on the hard drive: the worm can identify which strings in text files are email addresses
- emails in the inbox (some Email-Worms even “reply” to emails found in the inbox)
Many Email-Worms use more than one of the sources listed above. There are also other sources of email addresses, such as address books associated with web-based email services.
Email-Worm.
- Trojan:
Downloader-ABU (McAfee) - Mal/DelpDldr-D (Sophos)
- Heuristic.
WinPE-Statistical (Panda) - W32/Heuristic-DL3!Eldorado (FPROT)
- TrojanDownloader:
Win32/Small. gen!B (MS(OneCare)) - Trojan.
DownLoader. 56665 (DrWeb) - Win32/TrojanDownloader.
Dadobra. FX trojan (Nod32) - Trojan.
Downloader. Banload. NTW (BitDef7) - Packed/Upack!Dump (VirusBuster)
- Trojan-Downloader.
Win32. Banload (Ikarus) - Downloader.
Generic3. KSN (AVG) - TR/Dldr.
Delphi. Gen (AVIRA) - W32/DLoader.
AGQBO (Norman) - Trojan.
DL. Win32. Delf. bxr (Rising) - Email-Worm.
Win32. Warezov. oa [AVP] (FSecure) - Cryp_Xed-12 (TrendMicro)
- Packed/Upack!Dump (VirusBusterBeta)
© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.