Virus:Email-Worm.Win32.Warezov.la

Other versions: .at , .bw , .do , .et, .ex, .gl, .iq, .jv, .jx, .lb , .lg , .ms , .mx , .nd , .nf , .ns , .nv , .oa , .oi

Detection added Feb 12 2007 07:43 GMT
Update released Feb 12 2007 09:00 GMT
Description added Feb 21 2007
Behavior Email Worm
Technical details

This worm spreads via the Internet as an attachment to infected messages. The attachment does not contain a copy of the worm, but a component which downloads other malicious programs via the Internet.

Infected messages will be sent to all email addresses harvested from the victim machine.

The worm itself is a Windows PE EXE file. Modifications of this program may vary in size, from 89KB to 114KB.

Installation

When installing, the worm copies its executable file to the Windows system directory:

%System%\dxtmmnmd.exe

The worm also extracts the following file from its body:

%System%\dxtmmnmd.dll

Propagation via e-mail

The worm harvests email addresses from the Windows address books.

The worm uses its own SMTP engine to send infected messages.

Infected messages

Message subject (chosen at random from the list below):

Error
Good Day
hello Mail Delivery System
Mail server report
Mail Transaction Failed
picture
Server Report
Status
test

Message body (chosen at random from the list below):


Mail transaction failed. Partial message is available.


The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.


The message contains Unicode characters and has been sent as a binary attachment.


Mail server report.

Our firewall determined the e-mails containing worm copies are being sent from your computer.

Nowadays it happens from many computers, because this is a new virus type (Network Worms).

Using the new bug in the Windows, these viruses infect the computer unnoticeably. After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail addresses.

Please install updates for worm elimination and your computer restoring.

Best regards,
Customers support service

Attachment name (chosen at random from the list below):

body
data
doc
docs
document
file
message
readme
test
text
Update-KB<ñëóÞàéíûå öèôðû>-x86

The attachment has a .zip or a txt.exe extension.

The attachment is a worm component which is capable of downloading other malicious programs via the Internet.

Payload

Payload of main component

The worm stops and disables services connected to the firewalls listed below:

Sygate Personal Firewall
Zone Labs ZoneAlarm
Windows Firewall
Symantec Internet Security
Agnitum Outpost Firewall
McAfee.com Personal Firewall
Kerio WinRoute

Payload of component mailed as attachment

This component will be sent by the worm's main component. It will download other files from the Internet without the knowledge or consent of the user.

This component downloads a file from the following link:

kuturoisus.com/***/965/e/b****
(At the moment of writing, this link was not working.)

The file will be saved to the Windows system directory under a random name with an .exe extension. The file will then be launched for execution.

Removal instructions

Detection for this version of the worm were added to the Kaspersky Anti-Virus databases as an urgent update.

If you have Kaspersky Anti-Virus 6.0, and Proactive Protection is enabled, this worm will be detected without the need to update antivirus databases.

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

  1. Use Task Manager to terminate the process associated with the original worm file.
  2. Delete the original worm file (the location will depend on how the program originally penetrated the victim machine).
  3. Manually delete the files listed below from the Windows system directory:
    %System%\dxtmmnmd.exe
    %System%\dxtmmnmd.dll
  4. Delete all infected messages from all mail folders.
  5. Update your antivirus databases and perform a full scan of the computer ( download a trial version of Kaspersky Anti-Virus).
HOME