Virus:Email-Worm.Win32.Warezov.nd

• Technical details
• Payload
• Removal instructions

This worm is a Windows PE EXE file. It is 90,304 bytes in size. It is packed using Upack. The unpacked file is approximately 237KB in size.

Installation

When launched, the worm creates the following files:

The worm also creates the following system registry key:

Propagation

This worm spreads via ICQ messages.

Messages read "Check this::" followed by the link shown below:

If the user opens this link in the browser, s/he will be asked if s/he wants to download and launch a file called "archive.exe", which is the latest version of the worm.

The worm will disable a range of antivirus and firewall applications.

The worm is also about to download other malicious programs from the remote malicious user's site, and launch them for execution on the victim machine.

Îáíàðóæåíèå. Detection for this version of the worm was added to the Kaspersky Anti-Virus databases as an urgent update.
If you have Kaspersky Anti-Virus 6.0, and Proactive Protection is enabled, this worm will be detected without the need to update antivirus databases.

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

1. Use Task Manager to terminate the process associated with the original worm file.
2. Delete the original worm file (the location will depend on how the program originally penetrated the victim machine).
3. Manually delete the files listed below from the Windows system directory:
   %System%\shfoxpob.dat
   %System%\shfoxpob.exe
   %System%\shfoxpob.dll
4. Delete the following registry key:
   [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\shfoxpob]
5. Update your antivirus databases and perform a full scan of the computer ( download a trial version of Kaspersky Anti-Virus).