English

Log in

Search

The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service.

Internet threat level: 1

Follow us on

Home→Descriptions→Email-Worm.Win32.Warezov.qy

Email-Worm.Win32.Warezov.qy

Detected	Aug 29 2007 08:45 GMT
Released	Aug 29 2007 08:45 GMT
Published	Sep 05 2007 13:40 GMT

Technical Details
Payload
Removal instructions

Technical Details

This worm spreads via email. The worm does not place a copy of itself in the attachment to infected emails, but a component which is able to download other malicious programs via the Internet.

Infected messages will be sent to all email addresses harvested from the victim machine.

The worm itself is a Windows PE EXE file. It is 123,392 bytes in size. It is packed using UPX. The unpacked file is approximately 150KB in size.

Installation

When launched, the worm copies its executable file to the Windows system directory as "w32tcomr.exe":

%System%\w32tcomr.exe

It drops the following file, which is 110,592 bytes in size.

%System%\w32tcomr.dll

The worm also creates the following system registry key:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\w32tcomr.exe]
"DllName" = "%System%\w32tcomr.exe"
"Startup" = "WlxStartupEvent"
"Shutdown" = "WlxShutdownEvent"
"Impersonate" = dword:00000000
"Asynchronous" = dword:00000000

Propagation via email

The worm harvests email addresses from the Windows address books.

The worm uses its own SMTP engine to send infected messages.

Infected messages:

Message subject:

Mail sever report.

Message body:

Do not reply to this message Dear Customer, Our robot has fixed an abnormal activity from your IP address on sending e-mails. Probably it is connected with the last epidemic of a worm which does not have patches at the moment. We recommend you to install a firewall module and it will stop e-mail sending. Otherwise your account will be blocked until you do not eliminate malfunction. Customer support center robot

Attachment name:

The attachment contains a component of the worm which is capable of downloading other malicious programs via the Internet. This file has the following name:

Update-KB<random four digit number> -x86.exe

Payload

Payload of main component

The worm is able to terminate a range of processes, and to delete services related to antivirus solutions and firewalls.

The worm’s main executable file will download other malicious programs from the remote malicious user’s site and install them to the victim machine.

The worm will search all files on the hard disk for email addresses, and send them to the remote malicious user's site.

Payload of component mailed as attachment

This component will download other files from the Internet without the knowledge or consent of the user.

The component will download the most recent variant of the worm from a specified site. The link to the site is coded into the component's body.

The downloaded file will be saved to the Windows temporary directory under a random name. The file will then be launched for execution.

Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

Use Task Manager to terminate the backdoor process.
Delete the original worm file (the location will depend on how the program originally penetrated the victim machine).
Delete the following parameter from the system registry (see What is a system registry and how do I use it for details on how to edit the registry).
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\w32tcomr]

Delete the following files:

%System%\w32tcomr.exe
%System%\w32tcomr.dll

Delete all infected messages from all mail folders.
Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).

Print

Share

Malicious programs

Viruses and worms

Email-Worm

Email-Worms spread via email. The worm sends a copy of itself as an attachment to an email message or a link to its file on a network resource (e.g. a URL to an infected file on a compromised website or a hacker-owned website).

In the first case, the worm code activates when the infected attachment is opened (launched). In the second case, the code is activated when the link to the infected file is opened. In both case, the result is the same: the worm code is activated.

Email-Worms use a range of methods to send infected emails. The most common are:

using a direct connection to a SMTP server using the email directory built into the worm’s code
using MS Outlook services
using Windows MAPI functions.

Email-Worms use a number of different sources to find email addresses to which infected emails will be sent:

the address book in MS Outlook
a WAB address database
.txt files stored on the hard drive: the worm can identify which strings in text files are email addresses
emails in the inbox (some Email-Worms even “reply” to emails found in the inbox)

Many Email-Worms use more than one of the sources listed above. There are also other sources of email addresses, such as address books associated with web-based email services.

Other versions

Email-Worm.Win32.Warezov.bw

Email-Worm.Win32.Warezov.do

Email-Worm.Win32.Warezov.et

Email-Worm.Win32.Warezov.ex

Email-Worm.Win32.Warezov.jv

Email-Worm.Win32.Warezov.jx

Email-Worm.Win32.Warezov.la

Email-Worm.Win32.Warezov.lb

Email-Worm.Win32.Warezov.lg

Email-Worm.Win32.Warezov.mo

Email-Worm.Win32.Warezov.mx