Virus:Worm/Warezov.AM.6
Date discovered:29/09/2006
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:204.851 Bytes
MD5 checksum:632810eabc99e2b9cd6fe57f9da8739e
VDF version:6.36.00.49
IVDF version:6.36.00.60 - Tuesday, September 26, 2006

 General Method of propagation:
   • Email


Aliases:
   •  Mcafee: W32/Stration@MM
   •  Kaspersky: Email-Worm.Win32.Warezov.am
   •  Sophos: W32/Stration-AD
   •  Eset: Win32/Stration.CX


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads files
   • Drops malicious files
   • Uses its own Email engine
   • Registry modification
   • Steals information

 Files The following files are created:

%SYSDIR%\actxippr.dll Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: WORM/Warezov.AM.5

%SYSDIR%\slbcslay.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: WORM/Warezov.AM.1

%SYSDIR%\acac.dll Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: WORM/Warezov.AM.4

%SYSDIR%\mtxlcomm.dll Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: WORM/Warezov.AM.2

%SYSDIR%\lsaswdmi.dll Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: WORM/Warezov.AM.3




It tries to download some files:

– The location is the following:
   • http://www5.cedesunjerinkas.com/chr/wtb/**********
Furthermore this file gets executed after it was fully downloaded.

– The location is the following:
   • http://www.traferreg.com/chr/zzzx/e/**********
At the time of writing this file was not online for further investigation.

– The location is the following:
   • http://www.traferreg.com/chr/zzzx/e/**********


– The location is the following:
   • http://www.traferreg.com/chr/zzzx/**********
At the time of writing this file was not online for further investigation.

 Registry The following registry keys are added:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
   acac]
   • "Image"="%malware execution directory%\%executed file%"
   • "Asynchronous"=dword:00000000
   • "Impersonate"=dword:00000000
   • "Shutdown"="WlxShutdownEvent"
   • "Startup"="WlxStartupEvent"
   • "DllName"="%SYSDIR%\acac.dll"

– [HKLM\Software\Microsoft\scrrnpwm]


The following registry key is changed:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
   New value:
   • "AppInit_DLLs"=" actxippr.dll lsaswdmi.dll"

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
The sender address is spoofed.
Generated addresses. Please do not assume that it was the sender's intention to send this email to you. He might not know about his infection or might not even be infected at all. Furthermore it is possible that you will receive bounced emails telling you that you are infected. This might also not be the case.


To:
– Email addresses found in specific files on the system.
– Generated addresses


Subject:
One of the following:
   • Error
   • Good day
   • hello
   • Mail Delivery System
   • Mail server report.
   • Mail Transaction Failed
   • picture
   • Server Report
   • Status
   • test



Body:
The body of the email is one of the following:

   • Mail server report.
     Our firewall determined the e-mails containing worm copies are being sent from your computer.
     Nowadays it happens from many computers, because this is a new virus type (Network Worms).
     Using the new bug in the Windows, these viruses infect the computer unnoticeably.
     After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail
     addresses
     Please install updates for worm elimination and your computer restoring.
     
     Best regards,
     Customers support service

   • Mail transaction failed. Partial message is available.

   • The message cannot be represented in 7-bit ASCII encoding
     and has been sent as a binary attachment


Attachment:
The filename of the attachment is constructed out of the following:

–  Random string
   • body
   • data
   • doc
   • docs
   • document
   • file
   • message
   • readme
   • test
   • text
   • Update-KB%random words%-x86

    Continued by one of the following fake extensions:
   • dat
   • elm
   • log
   • msg
   • txt
   • zip
   • exe

    The file extension is one of the following:
   • cmd
   • scr
   • exe
   • pif
   • bat

The attachment is a copy of the malware itself.



The email may look like one of the following:



 Backdoor Contact server:
The following:
   • http://www3.cedesunjerinkas.com/cgi-bin/**********

This is done via the HTTP POST method using a PHP script.


Sends information about:
    • Current malware status
    • Information about the Windows operating system

 Injection –  It injects the following file into a process: %SYSDIR%\mtxlcomm.dll

    All of the following processes:
   • iexplore.exe
   • %processes that have visible windows%


 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • MEW

Description inserted by Monica Ghitun on Friday, September 29, 2006
Description updated by Andrei Ivanes on Tuesday, October 24, 2006

Back . . . .