Email-Worm.Win32.Warezov.mxOther versions: .at , .bw , .do , .et, .ex, .gl, .iq, .jv, .jx, .la, .lb, .lg, .ms, .nd , .nf , .ns , .nv , .oa , .oi
This worm is a Windows PE EXE file, which is 89,116 bytes in size, and packed using Upack. The unpacked file is approximately 237KB in size. InstallationWhen launching, the worm creates the following files: %System%\msjidpmo.dll%System%\msssmsda.dll %System%\msssmsda.exe It also creates the following system registry key: [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\msssmsda]"DllName" = "%System%\msssmsda.dll" "Startup" = "WlxStartupEvent" "Shutdown" = "WlxShutdownEvent" "Impersonate" = dword:00000000 "Asynchronous" = dword:00000000 PropagationThis worm uses ICQ to spread. The link below is sent with the message "Try it". http://***.cuhasefunjinksa.com/1/6696/When the user opens the link in the web browser, s/he will be asked if he wants to download and launch a file called "flash.exe" which actually contains the latest version of the worm.
The worm injects its component %System%\msjidpmo.dll into the following processes: services.exezlclient.exe iexplore.exe mpftray.exe svchost.exe outpost.exe firefox.exe ccapp.exe zapro.exe opera.exe tsmc.exe The worm will disable antivirus and firewall applications on the victim machine. It may also download other malicious programs from the remote malicious user's site and launch them for execution on the victim machine.
An urgent antivirus database update to detect this program was released. If you are using Kaspersky Anti-Virus 6.0, enable Proactive Protection, and this malicious program will be detected without the need to update antivirus databases. If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
|
|||||||||