Virus:Email-Worm.Win32.Warezov.gl

Other versions: .at , .bw , .do , .et, .ex, .iq , .jv , .jx , .la , .lb , .lg , .ms , .mx , .nd , .nf , .ns , .nv , .oa , .oi

Description added Nov 22 2006
Technical details

This worm spreads via the Internet as an attachment to infected messages. The attachment doesn't contain a copy of the worm, but a component which is able to download other malicious programs via the Internet.

Infected messages are sent to email addresses harvested from the victim machine.

The worm itself is a Windows PE EXE file approximately 110KB, packed using UPS. The unpacked file is approximately 235KB in size.

Installation

Once launched, the Trojan copies itself to the Windows system directory as "cservv32.exe":

%Windir%\cservv32.exe

The worm also creates the following files in the Windows system and root directories:

%System%\e1.dll (20 480 bytes)
%Windir%\cservv32.s
%Windir%\cservv32.wax
%Windir%\cservv32.dat

The worm also creates the following entries in the system registry:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"cservv32" = "%Windir%\cservv32.exe s"
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs" = "e1.dll"

This ensures that the worm will be launched each time Windows is booted on the victim machine.

Propagation via email

The worm sends emails to addresses harvested from the Windows address books.

The worm uses its own SMTP engine to send infected messages.

Infected messages

Message subject (chosen at random from the list below):

Error
Good Day
hello
Mail Delivery System
Mail server report
Mail Transaction Failed
picture
Server Report
Status
test

Message body (chosen at random from the list below):

Mail transaction failed. Partial message is available.
__________________________

The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.

__________________________

The message contains Unicode characters and has been sent as a binary attachment.

__________________________

Mail server report.

Our firewall determined the e-mails containing worm copies are being sent from your computer.

Nowadays it happens from many computers, because this is a new virus type (Network Worms).


Using the new bug in the Windows, these viruses infect the computer unnoticeably. After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail addresses

Please install updates for worm elimination and your computer restoring.

Best regards,
Customers support service

Attachment name (chosen at random from the list below):

body
data
doc
docs
document
file
message
readme
test
text
Update-KB<random symbols>-x86

The attachment is a worm component which is capable of downloading other malicious programs via the Internet.

This component will be detected by Kaspersky Anti-Virus under the same name as the worm's main component, Email-Worm.Win32.Warezov.gl

Payload

Payload of main component

The worm will terminate a range of antivirus solutions and firewall applications if any one of them is found to be launched on the victim machine.

Payload of component mailed as attachment

This component will be sent by the worm's main component. It will download other files from the Internet without the knowledge or consent of the user.

The file is 23,556 bytes in size.

Once launched, this file will open the default text editor (usually Notepad):

or it will cause the following message to be displayed:

When the file is installed to the victim machine, it will create a copy of itself in the Windows system directory with a random name.

The component sent by the worm contains a list of URLs, which will be checked for the presence of files. If a file is found on any of these addresses, it will be downloaded to the victim machine and launched for execution.

Removal instructions

Detection for this version of the worm were added to the Kaspersky Anti-Virus databases as an urgent update.

If you have Kaspersky Anti-Virus 6.0, and Proactive Protection is enabled, this worm will be detected without the need to update antivirus databases.

  1. Reboot the computer in Safe Mode (at the start of the boot sequence, press and hold F8, then choose Safe Mode from the Windows boot menu).
  2. Use Task Manager to terminate the following process:
    cservv32.exe
  3. Manually delete the files listed below from the Windows root and system directories:
    %Windir%\ñservv32.exe
    %Windir%\cservv32.s
    %Windir%\cservv32.wax
    %Windir%\cservv32.dat
    %System%\e1.dll
  4. Delete the following entries from the system registry: [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
    "cservv32" = "%Windir%\cservv32.exe s"
    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs" = "e1.dll"
  5. Reboot the computer and check that you have deleted all infected messages from all mail folders.
  6. Update your antivirus databases and perform a full scan of the computer ( download a trial version of Kaspersky Anti-Virus).
HOME