Email-Worm.Win32.Warezov.oz

Technical Details
Payload
Removal instructions

Technical Details

This worm spreads via email. The worm does not place a copy of itself in the attachment to infected emails, but a component which is able to download other malicious programs via the Internet.

Infected messages will be sent to all email addresses harvested from the victim machine.

The worm itself is a Windows PE EXE file. Modifications of this program's components vary in size, from 14KB to 135KB. It is packed using Upack.

Installation

When launched, the worm causes the following message to be displayed:

The worm them copies its executable file to the Windows system directory as "hpzcitss.exe":

%System%\hpzcitss.exe

It drops the following file, which is 114,688 bytes in size:

%System%\hpzcitss.dll

The worm also creates the following system registry key:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hpzcitss]
"DllName" = "%System%\hpzcitss.dll"
"Startup" = "WlxStartupEvent"
"Shutdown" = "WlxShutdownEvent"
"Impersonate" = dword:00000000
"Asynchronous" = dword:00000000

Propagation via email

The worm harvests email addresses from the Windows address books.

The worm uses its own SMTP engine to send infected messages.

Infected messages

Message subject

Mail sever report.

Message body

Chosen at random from the list below:

Attachment name

The attachment contains a component of the worm which is capable of downloading other malicious programs via the Internet. This file has the following name:

Update-KB<random four digit number>-x86.exe

Payload

Payload of main component

The worm is able to terminate a range of processes, and to delete services related to antivirus solutions and firewalls.

The worm’s main executable file will download other malicious programs from the remote malicious user’s site and install them to the victim machine.

The worm will search all files on the hard disk for email addresses, and send them to the remote malicious user's site.

Payload of component mailed as attachment

This component will download other files from the Internet without the knowledge or consent of the user.

It downloads a file from the following link:

http://jadesunhaxazedesa.com/****.exe

At the moment of writing, the most recent version of the worm's executable file was located on this link. The file will be detected by Kaspersky Anti-Virus as Email-Worm.Win32.Warezov.pa.

The downloaded file will be saved to the Windows temporary directory under a random name. The file will then be launched for execution.

Removal instructions

Detection. Detection for this version of the worm was added to the Kaspersky Anti-Virus databases as an urgent update.
If you have Kaspersky Anti-Virus 6.0, and Proactive Protection is enabled, this malicious program will be detected without the need to update antivirus databases.

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

1. Use Task Manager to terminate the backdoor process.
2. Delete the original worm file (the location will depend on how the program originally penetrated the victim machine).
3. Manually delete the files listed below from the Windows system directory:

   %System%\hpzcitss.exe
   %System%\hpzcitss.dll

4. Delete the following parameter from the system registry (see What is a system registry and how do I use it for details on how to edit the registry):

   [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hpzcitss]

5. Delete all infected messages from all mail folders.
6. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).