Alias:W32.Inzae.A@mm, Worm.Pawur.a, W32/Anzae.a.worm, W32/Tasin.A.worm
Type:Worm 
Size:49.331 bytes 
Origin: 
Date:11-25-2004 
Damage: 
VDF Version:6.28.00.91 
Danger:Low 
Distribution:High 

General DescriptionPlatforms infected: Windows 95, Windows 98, Windows ME, Windows NT, Windows 2000, Windows XP, Windows Server 2003

Symptoms-email sending
-opens a backdoor
-takes advantage of the system vulnerability

Distribution-Worm/Pawur.A.1 uses its own SMTP engine in order to send virulent emails.
-The email is built like this:

From: %spoofed%

Subject: (one of the following)

-re:Amor verdadero
-re:Como el aire...
-re:Crees que puede ser verdad?
-re:Déjate de rollos y vivé!!!
-re:Eso con queso rima con...xD
-re:La Luna
-re:Neptuno y Mercurio
-re:Pisología
-re:Voodoo un tanto ps...
-re:xD no me lo puedo creer!!

Body: (one of the following)

-No veas que cosas xD,luego me cuentas,chao.
-Crees en el amor de verdad?,miralo y ya hablamos,ciaooo
-Mira lo que te mando y ya verás que los detalles mas pequeños son los que importan,ciaoo
-Test para ver si andas bien de las neuronassss!xD,luego hablamos, chao
-Qué relación tienen estos planetas?,miralo y luego me cuentas,chao.
-Esa moribunda y solitaria Luna,Impresionante!chao.
-Será cierta la magia negra?,sal de dudas y ya me cuentas,chao.
-No comment,xDD,Nos vemos!!
-Renvíalo a todo que es que se meannn xD,nos vemos!


Attachment: (one of the following)

-D-Incógnito.zip
-EL_rechazo.zip
-Love-Me.zip
-Moon(Luna).zip
-My life(Mi vida).zip
-Para-Brisas.zip
-Planetario.zip
-Psíquico-Mix.zip
-Rimaz.zip
-Voodoo!.zip


The filenames of the ZIP archive, which contain the virus,look like one of these:

-inzae.pif
-ph003.pif
-rd2_roberto.pif
-simbolic3.pif
-extasis8.pif
-sin_mas_menos.pif

Technical Details-When the worm/Pawur.A.2 is executed, it creates a copy of itself in the windows system directory with the filename "svchosl.pif".
-In order that the worm be executed at the next system restart, it creates the following entry in the windows registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run\"Svchost"="%System%\svchosl.pif"

There are also created copies of itself in the root directories of the drives C:, D:, E: and F: with the following filenames:

-codm
-extasis8.pif
-inzae.pif
-ph003.pif
-rd2_roberto.pif
-simbolic3.pif
-sin_mas_menos.pif

Worm/Pawur.A.1 creates the following files in the system directory:

-\%SystemDIR%\inzax.exe
-\%SystemDIR%\sw.exe
-\%SystemDIR%\sx.exe
-\%SystemDIR%\sz.exe
-\%SystemDIR%\m.zip

and deletes files, which have the following extensions:

.asm
.asp
.bdsproj
.bmp
.c
.cpp
.cs
.csproj
.css
.doc
.dpr
.frm
.gif
.h
.htm
.html
.iso
.jpeg
.jpg
.mdb
.mp3
.nfm
.nrg
.pas
.pcx
.pdf
.php
.ppt
.rar
.rc
.rc2
.reg
.resx
.rpt
.sln
.txt
.vb
.vbp
.vbproj
.wav
.xls

Worm/Pawur.A.1 sends a HTTP GET request to the following domain xxxxx.org,in order to verify if the Calculator has an active connection to the Internet.
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .