Virus:Email-Worm.Win32.Warezov.ms
Other versions: .at , .bw , .do , .et, .ex, .gl, .iq, .jv, .jx, .la, .lb, .lg, .mx , .nd , .nf , .ns , .nv , .oa , .oi
| Detection added | Apr 03 2007 02:04 GMT |
| Update released | Apr 03 2007 03:25 GMT |
| Description added | Apr 04 2007 |
| Behavior | Email Worm |
| Technical details |
This worm spreads via the Internet as an attachment to infected messages. The attachment does not contain a copy of the worm, but a component which downloads other malicious programs via the Internet.
Infected messages will be sent to all email addresses harvested from the victim machine.
The worm itself is a Windows PE EXE file. The size of the worm components varies from 19KB to 130KB in size.
Installation
When launching, the worm causes an error message to be displayed:
During installation, the worm copies its executable file to the Windows system directory under the following name:
%System%\iasnx9tc.exeIt then creates the following file:
%System%\iasnx9tc.dllThis file is 113 895 bytes in size.
The worm also creates the following system registry key:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iasnx9tc]"DllName"="%System%\iasnx9tc.dll"
"Startup"="WlxStartupEvent"
"Shutdown"="WlxShutdownEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000
Propagation via email
The worm harvests email addresses from the Windows address books.
The worm uses its own SMTP engine to send infected messages.
Infected messages
The attachment is a worm component which is capable of downloading other malicious programs via the Internet.
| Payload |
The worm's main executable file downloads other malicious programs from the remote malicious user's site and installs them to the victim machine.
Payload of component mailed as attachment
This component will be sent by the worm's main component. It will download other files from the Internet without the knowledge or consent of the user.
This component downloads a file from the following link:
http://***eradesunme.com/ntsrv32.exeAt the moment of writing, the latest version of the worm's executable file was placed on this link.
This file will be saved to the Windows temporary directory with a temporary name, and then launched for execution.
| Removal instructions |
Detection for this version of the worm were added to the Kaspersky Anti-Virus databases as an urgent update.
If you have Kaspersky Anti-Virus 6.0, and Proactive Protection is enabled, this worm will be detected without the need to update antivirus databases.
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution, follow the instructions below to delete the malicious program:
- Use Task Manager to terminate the process associated with the original worm file.
- Delete the original worm file.
- Manually delete the files listed below from the Windows system directory:
%System%\iasnx9tc.exe
%System%\iasnx9tc.dll - Delete the following registry key:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iasnx9tc] - Delete all infected messages from all mail folders.
- Update your antivirus databases and perform a full scan of the computer ( download a trial version of Kaspersky Anti-Virus).