Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:W32.Akosw@mm, Win32.Israz.A [CA], W32/Israz.worm [McAfee], Worm_Israz.A [Trend], W32/Israz-A [Sophos], I-Worm.Israz [KAV]
Type:Worm 
Size:147,456 Bytes, 16,384 Bytes 
Origin: 
Date:00-00-0000 
Damage:Sent by email. 
VDF Version:  
Danger:Low 
Distribution:Low 

DistributionThe worm sends itself to all email addresses found in Windows Address Book. The email has the following structure:

From:
update@microsoft.com
help@google.com
copyright@yahoo-inc.com

Subject:
Windows Update
PS1
Update Your ToolBar
Auto Search Wizard
Yahoo FAQ
Support For Search
You must to see that

Body:

Your file is attached to message. For more information go to Windows Update http:/ /windowsupdate.microsoft.com

Your file is attached to message. For more information go to Windows Update http:/ /windowsupdate.microsoft.com

Your file is attached to message. For more information go to Google home page http:/ /www.google.com

Your file is attached to message. For more information go to Google home page http:/ /www.google.com

Your file is attached to message. For more information go to Yahoo home page http:/ /www.yahoo.com

Your file is attached to message. For more information go to Yahoo home page http:/ /www.yahoo.com

Your file is attached to message.

Attachment:
Update.exe
Q322593.exe
ToolBar.exe
Wizard.exe
FAQ.exe
Support.exe
Fun.exe

Technical DetailsWhen activated, Worm/Isratz.1 is copied as:
%SystemDIR%\Win32.exe
%SystemDIR%\vShell.exe
%Temp%\Update.exe
%Temp%\Fun.exe
%Temp%\FAQ.exe
%Temp%\ToolBar.exe
%Temp%\Support.exe
%Temp%\Q322593.exe
%Temp%\Wizard.exe

It creates the following files:
%SystemDIR%\vUser.exe
%SystemDIR%\OSSMTP.dll

It makes the registry autostart entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Win32"="%SystemDIR%\Win32.exe"

It changes the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\txtfile\shell\open\command in: @="%SystemDIR%\vShell.exe %1"
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\ScriptBlocking in: Script Blocking

Then it looks for KaZaA download directory and copies itself in it as one of the following:
XP Keys.exe
OfficeXP Keys.exe
NAV_2003 Crack.exe
Doom_3 Crack.exe
GTA Vice City Crack.exe


The worm makes the following registry entry:
HKEY_CURRENT_USER\Software\Win32
and overwrites all .url files referring to the following websites:
www.ynet.co.il
www.tapuz.co.il
www.nana.co.il
www.msn.co.il
www.walla.co.il
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .