Need help? Ask the community or hire an expert.
Go to Avira Answers
Nume:Worm/Warezov.DLL.C
Descoperit pe data de:22/09/2006
Tip:Vierme
ITW:Da
Numar infectii raportate:Scazut
Potential de raspandire:Mediu
Potential de distrugere:Scazut spre mediu
Fisier static:Da
Marime:153.128 Bytes
MD5:6d5b6945f50dc801208525936d5c24b9
Versiune VDF:6.36.00.50
Versiune IVDF:6.36.00.61 - marți, 26 septembrie 2006

 General Metoda de raspandire:
   • Email


Alias:
   •  Mcafee: W32/Stration@MM
   •  Kaspersky: Email-Worm.Win32.Warezov.ab
   •  TrendMicro: WORM_STRATION.BC
   •  F-Secure: Email-Worm.Win32.Warezov.ab
   •  Eset: Win32/Stration.AR


Sistem de operare:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Efecte secundare:
   • Blocheaza accesul la website-uri ale firmelor de securitate
   • Creeaza fisiere malware
   • Utilizeaza propriul motor de email
   • Reduce setarile de securitate
   • Modificari in registri


Imediat dupa lansarea in executie, pe ecran este afisat:


 Fisiere Se copiaza in urmatoarea locatie:
   • %WINDIR%\tsrv.exe



Sunt create fisierele:

– Un fisier care contine adrese de e-mail:
   • %WINDIR%\tsrv.wax

– %HOME%\Desktop\%combinatie de doua caractere aleatoare%.tmp Acesta este un fisier text care nu prezinta pericol si are urmatorul continut:
   • %combinatie de caractere aleatoare%

%SYSDIR%\msji449c14b7.dll Analiza ulterioara a relevat ca si acest fisier este malware. Detectat ca: Worm/Stration

%SYSDIR%\cmut449c14b7.dll Analiza ulterioara a relevat ca si acest fisier este malware. Detectat ca: Worm/Warezov.AB

%SYSDIR%\hpzl449c14b7.exe Analiza ulterioara a relevat ca si acest fisier este malware. Detectat ca: Worm/Warezov.AB.2

%WINDIR%\tsrv.dll Analiza ulterioara a relevat ca si acest fisier este malware. Detectat ca: Worm/Warezov.AB.1

 Registrii sistemului Urmatoarea cheie este adaugata in registri pentru a rula procesul la repornirea sistemului:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "tsrv"="%WINDIR%\tsrv.exe s"



Urmatoarea cheie din registri este modificata:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
   Vechea valoare:
   • "AppInit_DLLs"=""
   Noua valoare:
   • "AppInit_DLLs"=" msji449c14b7.dll"

 Email Are un motor SMTP integrat. Va fi facuta o conexiune directa cu serverul destinatar. Iata caracteristicile lui:


De la:
Adresa este falsificata.
Adrese generate. Va rugam nu presupuneti ca a fost intentia expeditorului sa va trimita acest email. Este posibil ca el sa nu stie ca este infectat sau chiar sa nu aiba sistemul infectat. In plus, este posibil sa primiti email-uri returnate care sa va indice ca sunteti infectat, lucru care poate fi de asemenea fals.


Catre:
– Adrese de email gasite pe sistem.
– Adrese de email obtinute din WAB (Windows Address Book)
– Adrese generate


Formatul email-urilor:
 


De la: sec@%domeniul destinatarului%
Subiect: Mail server report.
Corp mesaj:
   • Mail server report.
     
     Our firewall determined the e-mails containing worm copies are being sent from your computer.
     Nowadays it happens from many computers, because this is a new virus type (Network Worms).
     Using the new bug in the Windows, these viruses infect the computer unnoticeably.
     After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail
     addresses
     Please install updates for worm elimination and your computer restoring.
     
     Best regards,
     Customers support service
Atasament:
   • Update-KB%numar%-x86.exe
 


De la: secur@%domeniul destinatarului%
Subiect: Mail server report.
Corp mesaj:
   • Mail server report.
     
     Our firewall determined the e-mails containing worm copies are being sent from your computer.
     Nowadays it happens from many computers, because this is a new virus type (Network Worms).
     Using the new bug in the Windows, these viruses infect the computer unnoticeably.
     After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail
     addresses
     Please install updates for worm elimination and your computer restoring.
     
     Best regards,
     Customers support service
Atasament:
   • Update-KB%numar%-x86.exe
 


De la: serv@%domeniul destinatarului%
Subiect: Mail server report.
Corp mesaj:
   • Mail server report.
     
     Our firewall determined the e-mails containing worm copies are being sent from your computer.
     Nowadays it happens from many computers, because this is a new virus type (Network Worms).
     Using the new bug in the Windows, these viruses infect the computer unnoticeably.
     After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail
     addresses
     Please install updates for worm elimination and your computer restoring.
     
     Best regards,
     Customers support service
Atasament:
   • Update-KB%numar%-x86.exe


Subiect:
Unul din urmatoarele:
   • Error
   • Good day
   • hello
   • Mail Delivery System
   • Mail Transaction Failed
   • picture
   • Server Report
   • Status
   • test



Corpul email-ului:
Corpul email-ului este unul din textele:

   • Mail transaction failed. Partial message is available.

   • The message cannot be represented in 7-bit ASCII encoding
     and has been sent as a binary attachment

   • The message contains Unicode characters and has been sent
     as a binary attachment.


Atasament:
Numele fisierelor atasate este alcatuit dupa cum urmeaza:

–  Incepe cu unul din urmatoarele:
   • body
   • data
   • doc
   • docs
   • document
   • file
   • message
   • readme
   • test
   • text

    Urmat de una din urmatoarele extensii false:
   • .elm
   • .msg
   • .dat
   • .txt
   • .log

    Extensia fisierului este una din urmatoarele:
   • .bat
   • .exe
   • .scr
   • .cmd
   • .pif

Atasamentul este o copie malware.



Email-ul poate arata ca unul din urmatoarele:



 Fisiere host Fisierul

– In acest caz inregistrarile existente raman nemodificate.

– Accesul la urmatoarele domenii este blocat:
   • download.microsoft.com; go.microsoft.com; msdn.microsoft.com;
      office.microsoft.com; windowsupdate.microsoft.com;
      http://www.microsoft.com/downloads/Search.aspx?displaylang=en; avp.ru;
      www.avp.ru; http://avp.ru; http://www.avp.ru; kaspersky.ru;
      www.kaspersky.ru; http://kaspersky.ru; kaspersky.com;
      www.kaspersky.com; http://kaspersky.com; kaspersky-labs.com;
      www.kaspersky-labs.com; http://kaspersky-labs.com; avp.ru/download/;
      www.avp.ru/download/; http://www.avp.ru/download/;
      http://www.kaspersky.ru/updates/;
      http://www.kaspersky-labs.com/updates/; http://kaspersky.ru/updates/;
      http://kaspersky-labs.com/updates/; downloads1.kaspersky-labs.com;
      downloads2.kaspersky-labs.com; downloads3.kaspersky-labs.com;
      downloads4.kaspersky-labs.com; downloads5.kaspersky-labs.com;
      http://downloads1.kaspersky-labs.com;
      http://downloads2.kaspersky-labs.com;
      http://downloads3.kaspersky-labs.com;
      http://downloads4.kaspersky-labs.com;
      http://downloads5.kaspersky-labs.com;
      downloads1.kaspersky-labs.com/products/;
      downloads2.kaspersky-labs.com/products/;
      downloads3.kaspersky-labs.com/products/;
      downloads4.kaspersky-labs.com/products/;
      downloads5.kaspersky-labs.com/products/;
      http://downloads1.kaspersky-labs.com/products/;
      http://downloads2.kaspersky-labs.com/products/;
      http://downloads3.kaspersky-labs.com/products/;
      http://downloads4.kaspersky-labs.com/products/;
      http://downloads5.kaspersky-labs.com/products/;
      downloads1.kaspersky-labs.com/updates/;
      downloads2.kaspersky-labs.com/updates/;
      downloads3.kaspersky-labs.com/updates/;
      downloads4.kaspersky-labs.com/updates/;
      downloads5.kaspersky-labs.com/updates/;
      http://downloads1.kaspersky-labs.com/updates/;
      http://downloads2.kaspersky-labs.com/updates/;
      http://downloads3.kaspersky-labs.com/updates/;
      http://downloads4.kaspersky-labs.com/updates/;
      http://downloads5.kaspersky-labs.com/updates/;
      ftp://downloads1.kaspersky-labs.com;
      ftp://downloads2.kaspersky-labs.com;
      ftp://downloads3.kaspersky-labs.com;
      ftp://downloads4.kaspersky-labs.com;
      ftp://downloads5.kaspersky-labs.com;
      ftp://downloads1.kaspersky-labs.com/products/;
      ftp://downloads2.kaspersky-labs.com/products/;
      ftp://downloads3.kaspersky-labs.com/products/;
      ftp://downloads4.kaspersky-labs.com/products/;
      ftp://downloads5.kaspersky-labs.com/products/;
      ftp://downloads1.kaspersky-labs.com/updates/;
      ftp://downloads2.kaspersky-labs.com/updates/;
      ftp://downloads3.kaspersky-labs.com/updates/;
      ftp://downloads4.kaspersky-labs.com/updates/;
      ftp://downloads5.kaspersky-labs.com/updates/;
      http://updates.kaspersky-labs.com/updates/;
      http://updates1.kaspersky-labs.com/updates/;
      http://updates2.kaspersky-labs.com/updates/;
      http://updates3.kaspersky-labs.com/updates/;
      http://updates4.kaspersky-labs.com/updates/;
      ftp://updates.kaspersky-labs.com/updates/;
      ftp://updates1.kaspersky-labs.com/updates/;
      ftp://updates2.kaspersky-labs.com/updates/;
      ftp://updates3.kaspersky-labs.com/updates/;
      ftp://updates4.kaspersky-labs.com/updates/; viruslist.com;
      www.viruslist.com; http://viruslist.com; viruslist.ru;
      www.viruslist.ru; http://viruslist.ru;
      ftp://ftp.kasperskylab.ru/updates/; symantec.com; www.symantec.com;
      http://symantec.com; customer.symantec.com;
      http://customer.symantec.com; liveupdate.symantec.com;
      http://liveupdate.symantec.com; liveupdate.symantecliveupdate.com;
      http://liveupdate.symantecliveupdate.com;
      securityresponse.symantec.com; http://securityresponse.symantec.com;
      service1.symantec.com; http://service1.symantec.com;
      symantec.com/updates; http://symantec.com/updates;
      updates.symantec.com; http://updates.symantec.com; eset.com/;
      www.eset.com/; http://www.eset.com/; eset.com/products/index.php;
      www.eset.com/products/index.php;
      http://www.eset.com/products/index.php; eset.com/download/index.php;
      www.eset.com/download/index.php;
      http://www.eset.com/download/index.php; eset.com/joomla/;
      www.eset.com/joomla/; http://www.eset.com/joomla/; u3.eset.com/;
      http://u3.eset.com/; u4.eset.com/; http://u4.eset.com/;
      www.symantec.com/updates




Fisierul hosts modificat va arata astfel:


 Injectarea codului malware in alte procese –  Injecteaza fisierul urmator intr-un proces: tsrv.dll

    Numele procesului:
   • %toate procesele active%


 Detaliile fisierului Limbaj de programare:
Limbaj de programare folosit: C (compilat cu Microsoft Visual C++).


Compresia fisierului:
Pentru a ingreuna detectia si a reduce marimea fisierului, este folosit urmatorul program de arhivare:
   • MEW

Description inserted by Adriana Popa on Tuesday, September 26, 2006
Description updated by Adriana Popa on Tuesday, September 26, 2006

Back . . . .