Alias:W32.Inzae.B@mm, W32/Anzae.worm.c, W32/Anzae.worm.d, W32/Tasin.B.worm
Type:Worm 
Size:50.473 B, 50.613 B, 50.832 B 
Origin: 
Date:11-28-2004 
Damage: 
VDF Version:6.28.00.94 
Danger:Low 
Distribution:Medium 

General DescriptionPlatforms infected: Windows 95, Windows 98, Windows ME, Windows NT, Windows 2000, Windows XP, Windows Server 2003

Symptoms-email sending

DistributionIn order to spread itself, worm/Pawur.A.2 uses its own SMTP-Engine.

-From:

-Subject: (eines der folgenden)

FW:Como el aire...xD
FW:El amor,el amor,jajaja
FW:Miralo!!!!
FW:Más de los mismo, pero vale la pena...
FW:Más te quise yo :P,jajaja
FW:Pero que cosasssssss ,jajajaja
FW:Pero si es cierto!!!
FW:Podrás dormir??jajaja
FW:Venga que lo disfrutes ;) jajaja
Impresiona!!!!

-Body: (one of the following)

Esto no me lo creo,joeee , jajajaj
Miralo y me comentas luego,jajajaja
Miralo y reenvia!!!!!jajajaja,comparte leñe!
Mirame!, jajaja
No comment,xDD ,Nos vemos!!
Pa q tu vea!jajaja
Pero que cosasssss!
Si tu me vieras....
Te pongo a 100,jajaja
jajajaja,no pue ser!

-Attachment: (one of the following)

Basta_YA.zip
Claro_que_lo_se.zip
Con_mas_amor.zip
Las_cosas_cambian.zip
Lo_que_te_mereces.zip
Lo_que_ves.zip
No_me_lo_creo.zip
Nunca_estamos.zip
Para_ti_mas.zip
Siempre_estas_ahi.zip

In the attachment resides one of the following files:

Absolutismo.bmp
Lo_mejor.bmp
Q_mas_da.bmp
Que_puede_ser.bmp
Siempre_juntos.bmp
Sientelo.bmp

Technical Details-When the worm/Pawur.A.2 is executed, it creates a copy of itself in the windows system directory with the filename "Command.pif".
-The worm creates the following entries in the windows registry:

-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run"Svchost"="\%SystemDIR%\Command.pif"

-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run\"Messenger6"="%SystemDIR%\command.pif"

-Then it displays the following error message:

-Title:
Error interno

-Message:
Documento interno danado, reinstale la aplication asociada para poder visualizarlo
Mas informacion http:/ /www.microsoft.com
El programa so cerrara.

Worm/Pawur.A.2 tries to download the file 'msvbvm60.dll' from the Internet using a HTTP GET command. The downloaded file is copied in the following directories:

%WinDIR%\System32\msvbvm60.dll
%WinDIR%\System\msvbvm60.dll

If the file is successfully downloaded, the worm creates the file 'paula.pif' in the windows system directory and executes it. This file creates in turn the following files:

%SystemDIR%\Svchosl.pif

%WinDIR%\System32\m.zip

%WinDIR%\System32\sw.exe

%WinDIR%\System32\sx.exe

%WinDIR%\System32\ss.exe

%WinDIR%\System32\sz.exe

and adds in the Windows Registry the following entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run\"Svchost"="%SystemDIR%\svchosl.pif"

Worm/Pawur.A.2 deletes all the files that have the following extensions:

.asm
.asp
.bat
.bdsproj
.bmp
.c
.css
.doc
.dot
.dpr
.gif
.h
.htm
.html
.inf
.ini
.iso
.jpeg
.jpg
.log
.mdb
.mp3
.msi
.nfm
.nrg
.pas
.pcx
.pdf
.php
.ppt
.rar
.reg
.rpt
.txt
.vb
.vbs
.wav
.xls

The worm copies itself in the root directories of the local drives C, D, E and F with the following filenames:

Absolutismo.bmp
Lo_mejor.bmp
Q_mas_da.bmp
Que_puede_ser.bmp
Siempre_juntos.bmp
Sientelo.bmp

Worm/Pawur.A.2 sends a HTTP GET request to the following website: xxxxx.org
Descrição enviada por Crony Walker em terça-feira, 15 de junho de 2004

Voltar . . . .