Virus:Email-Worm.Win32.Warezov.oiOther versions: .at , .bw , .do , .et, .ex, .gl, .iq, .jv, .jx, .la, .lb, .lg, .mf, .mx, .nd, .ns , .ns, .nv, .oa
This worm is a Windows PE EXE file. The file is 88,826 bytes in size. It is packed using Upack. The unpacked file is approximately 237KB in size. InstallationWhen launched, the worm creates the following files: %System%\dmimmsss.dll%System%\dmimmsss.exe The worm also creates the following system registry key: [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dmimmsss]"DllName" = "%System%\dmimmsss.dll" "Startup" = "WlxStartupEvent" "Shutdown" = "WlxShutdownEvent" "Impersonate" = dword:00000000 " Asynchronous" = dword:00000000 PropagationThis worm spreads via ICQ messages. Messages contain the following text: "Check this:" or "My party pics:". A link to the executable file of the latest variant of Warezov follows the text. If the user opens this link in the browser, s/he will be asked if s/he wants to download and launch a file called "photo.pif”. When this file is launched, the worm will be installed to the victim machine.
The worm loads its component, %System%\ dmimmsss.dll, to the following processes: services.exezlclient.exe iexplore.exe mpftray.exe svchost.exe outpost.exe firefox.exe ccapp.exe zapro.exe opera.exe smc.exe The worm will disable a range of antivirus and firewall applications. The worm is also able to download other malicious programs from the remote malicious user's site, and launch them for execution on the victim machine.
Detection. Detection for this version of the worm was added to the Kaspersky Anti-Virus databases as an urgent update. If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
|
|||||||||||