FRISK Software International


Summary of W32/Warezov.R@mm
Discovered: 12 Sep 2006
Definition files: 12 Sep 2006
Risk Level: Medium
Distribution:Medium
 
Jump to:
Brief description
Technical description
Removal Instructions

Brief Description
W32/Warezov.R@mm is a mass-mailing worm. It harvests e-mail addresses from the infected computer and uses its own SMTP engine to send a copy of itself via e-mail to the harvested addresses.


Technical Description
Upon first execution the worm copies itself to %WINDIR%\tsrv.exe it also drops the files msji449c14b7.dll, cmut449c14b7.dll, hpzl449c14b7.exe into %SYSDIR% and the file tsrv.dll into %WINDIR%.

Note: %SYSDIR% refers to the System directory. The default path for the respective operating systems is as follows:
  • Windows 95/98/Me - C:\Windows\System
  • Windows NT/2000 - C:\Winnt\System32
  • Windows XP - C:\Windows\System32

Then it displays the following message:



and restarts itself from a newly created copy.

It may also create additional files in %WINDIR%, with filenames starting with "tsrv", to store its data, such as harvested e-mail addresses.

Adds the value:

"tsrv" = "%WINDIR%\tsrv.exe s"

to the registry key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

to make sure it's executed at system startup.

Apends the string " msji449c14b7.dll" to the value "AppInit_DLLs" in the registry key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

May try to download and execute additional files from the internet.

Harvests e-mail addresses from files having one of the following extensions:

pl
msg
ods
tbb
dbx
txt
mbx
php
mht
adb
cgi
oft
eml
wab
jsp
xml
asp
nch
cfg
wsh
htm
uin


Removal Instructions
For general removal instructions please click here.

Marteinn Žór Haršarson
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is