Internet threat level: 1
Home→Descriptions→Email-Worm.Win32.Zhelatin.u
Email-Worm.Win32.Zhelatin.u
| Detected | Feb 09 2007 14:09 GMT |
| Released | May 18 2007 08:49 GMT |
| Published | Feb 09 2007 14:09 GMT |
Payload
Removal instructions
Technical Details
This email worm is a Windows PE EXE file. It can vary from 6KB to 54KB in size. It is packed using UPX.
Installation
When installing, the worm creates the following files in the Windows system directory:
- %System%\adirss.exe – 6038 bytes in size.
- %System%\taskdir.exe – 54166 bytes in size.
- %System%\zlbw.dll – 46592 bytes in size.
- %System%\adir.dll – 4608 bytes in size. This file will be detected by Kaspersky Anti-Virus as Email-Worm.Win32.Banwarum.f.
In order to ensure that the worm is launched automatically each time Windows is restarted, it registers its executable file in the system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
sysinter="%System%\adirss.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
taskdir="%System%\taskdir.exe"
It creates the following registry key:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\adir]
which will load %System%\adir.dll each time Windows is rebooted.
The worm adds a rule to the system firewall which permits activity from the worm's executable file. In order to do this, it executes the following command:
netsh firewall set allowedprogram %System%\adirss.exe enable
The worm also creates a service called "Windows update Service” which will load the worm’s executable file %System%\taskdir.exe
Payload
The adirss.exe process launches an SMTP proxy server on TCP port 25. This enables a remote malicious user to use the infected machine as part of a botnet to send spam.
The worm will then register itself on the remote malicious user’s site, transmitting the network address of the victim machine.
The worm then downloads a file containing the botnet configuration from the remote malicious user’s site, and saves it as %System%\log.txt. Data from this file will then be used to get data in order to send spam.
%System%\adir.dll is a rootkit library, which hides worm files on the hard disk, processes launched by the worm, and registry keys which contain the worm configuration.
The worm downloads a file from the following link:
http://***cp/bin/lim
and saves it as:
%System%\taskdir~.exe
The file is then launched for execution.
At the moment of writing, this link was not working.
Removal instructions
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
- Reboot the computer in Safe Mode.
- Delete the following files:
%System%\adirss.exe %System%\taskdir.exe %System%\zlbw.dll %System%\adir.dll %System%\log.txt %System%\taskdir~.exe
- Delete the following system registry key parameters:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
sysinter="%System%\adirss.exe"[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
taskdir="%System%\taskdir.exe" - Delete the following registry key:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\adir]
- Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
Email-Worms spread via email. The worm sends a copy of itself as an attachment to an email message or a link to its file on a network resource (e.g. a URL to an infected file on a compromised website or a hacker-owned website).
In the first case, the worm code activates when the infected attachment is opened (launched). In the second case, the code is activated when the link to the infected file is opened. In both case, the result is the same: the worm code is activated.
Email-Worms use a range of methods to send infected emails. The most common are:
- using a direct connection to a SMTP server using the email directory built into the worm’s code
- using MS Outlook services
- using Windows MAPI functions.
Email-Worms use a number of different sources to find email addresses to which infected emails will be sent:
- the address book in MS Outlook
- a WAB address database
- .txt files stored on the hard drive: the worm can identify which strings in text files are email addresses
- emails in the inbox (some Email-Worms even “reply” to emails found in the inbox)
Many Email-Worms use more than one of the sources listed above. There are also other sources of email addresses, such as address books associated with web-based email services.
Email-Worm.
- Trojan-Proxy.
Win32. Lager. fb (Kaspersky Lab) - Virus:
W32/Zhelatin. gen@MM (McAfee) - Mal/HckPk-A (Sophos)
- Trojan.
Downloader-1381 (ClamAV) - W32/Nurech.
A. worm (Panda) - W32/Heuristic-MUP!Eldorado (FPROT)
- Trojan:
Win32/Tibs. DK (MS(OneCare)) - Trojan.
Packed. 14 (DrWeb) - Win32/Nuwar.
Gen worm (Nod32) - Trojan.
Generic. 3972638 (BitDef7) - Trojan.
Tibs. Gen!Pac37 (VirusBuster) - Win32:
Tibs-AII [Wrm] (AVAST) - Email-Worm.
Win32. Zhelatin. t (Ikarus) - Downloader.
Tibs. 3. A (AVG) - TR/Small.
DBY. AA. 2 (AVIRA) - W32.
Mixor. Q@mm (NAV) - NseCheckFile2() returned 0x00010018 (Norman)
- W32/Zhelatin.
gen@MM (NAI) - Mal_Nucrp-2 (PCCIL)
- Worm.
Mail. Zhelatin. ed (Rising) - Trojan.
Tibs. Gen!Pac37 (VirusBusterBeta)
© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.