Virus:TR/Spam.Warezov.DQ
Date discovered:24/10/2006
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:143.360 Bytes
MD5 checksum:c7d587d68f9a840C26f41fafae9da2f8
VDF version:6.36.00.160
IVDF version:6.36.00.177 - Friday, October 27, 2006

 General Aliases:
   •  Kaspersky: Email-Worm.Win32.Warezov.dq
   •  Sophos: W32/Stratio-BX
   •  Bitdefender: Win32.Worm.Stration.BR


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP


Side effects:
   • Downloads files
   • Uses its own Email engine

 Files It tries to download some files:

– The location is the following:
   • http://shionkertunhedanse.com/outtask/**********
This file may contain further download locations and might serve as source for new threats.

– The location is the following:
   • %URL from downloaded file%
This file may contain information related to the email spam function.

 Email It contains an integrated SMTP engine in order to send Spam emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
Gathered addresses from the internet. Please do not assume that it was the senders intention to send this email to you. He might not know about his infection or might not even be infected at all. Furthermore it is possible that you will receive bounced emails that tell you that you are infected. This might also not be the case.


To:
– Gathered addresses from the internet.


Subject:
The following:
   • %gathered from the internet%



Body:
The body of the email is the following:
   • %gathered from the internet%

 Mailing Gather addresses:
It gathers addresses by contacting the following website:
   • %URL from downloaded file%

 Backdoor Contact server:
The following:
   • http://shionkertunhedanse.com/**********

As a result it may send some information. This is done via the HTTP GET request on a CGI script.


Sends information about:
    • IP address

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Bogdan Iliuta on Wednesday, October 25, 2006
Description updated by Bogdan Iliuta on Monday, November 20, 2006

Back . . . .