Virus:Email-Worm.Win32.Warezov.at
Other versions: .bw , .do , .et , .ex , .gl , .iq , .jv , .jx , .la , .lb , .lg , .ms , .mx , .nd , .nf , .ns , .nv , .oa , .oi
| Detection added | Sep 25 2006 03:02 GMT |
| Update released | Sep 25 2006 03:20 GMT |
| Description added | Sep 25 2006 |
| Behavior | Email Worm |
| Technical details |
This worm spreads via the Internet as an attachment to infected messages. It sends itself to email addresses harvested from the victim machine.
The worm itself is a Windows PE EXE file, packed using UPack. The packed file is approximately 117KB in size, and the unpacked file is approximately 470KB in size.
Installation
Once launched, the worm causes the following message to be displayed:
It then copies itself to the Windows root directory as “t2serv.exe”:
%Windir%\t2serv.exeIt also creates the following files in the Windows system and root directories:
- %System%\e1.dll (8192 bytes)
- %System%\wmnecomc.dll (24576 bytes)
- %System%\wmpcskdl.dll (20480 bytes)
- %System%\xactcomr.exe (12288 bytes)
- %Windir%\t2serv.dll (6656 bytes)
- %Windir%\t2serv.s
- %Windir%\t2serv.wax
The worm also creates the following entries in the system registry, ensuring that the worm file will be launched automatically each time Windows is rebooted on the victim machine:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]"t2serv" = "%Windir%\t2serv.exe s"
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs" = "wmnecomc.dll e1.dll"
Propagation via email
The worm sends itself to addresses harvested from the MS Windows address books.
The worm uses its own SMTP library to send infected messages.
Infected messages:
Examples of infected messages:
| Payload |
The worm downloads the following files from the URLs listed below, and then launches them for execution:
http://www4.vertio*****eliplim.com/chr/grv/lt.exehttp://www6.vertio*****eliplim.com/chr/grv/nt.exe
Files placed on these URLs contain other modificuations of Email-Worm.Win32.Warezov.