FRISK Software International


Summary of W32/Zasran.A
Discovered: 23 May 2006
Definition files: 23 May 2006
Risk Level: Low
Distribution:Low
 
Jump to:
Brief description
Technical description
Removal Instructions

Brief Description
W32/Zasran.A is a a mass-mailing worm. It harvests e-mail addresses from the infected computer and uses its own SMTP engine to send a copy of itself via e-mail to the harvested addresses. The e-mails sent are in German.


Technical Description
Upon first execution the worm drops the file %SYSDIR%\mszsrn32.dll (also detected as W32/Zasran.A).

Note: %SYSDIR% refers to the System directory. The default path for the respective operating systems is as follows:
  • Windows 95/98/Me - C:\Windows\System
  • Windows NT/2000 - C:\Winnt\System32
  • Windows XP - C:\Windows\System32


It creates the following registry key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mszsrn32]

and adds the following values to it:

"Asynchronous" = 1
"DllName" = "%SYSDIR%\mszsrn32.dll"
"Impersonate" = 0
"Startup" = "Startup"
"Type" = 2

to make sure its always running.

It harvests e-mail addresses from all files on local drives having one of the following extensions:

wab
tbb
tbi
doc
xls
txt
csv
htm
html
xml
adb
asa
asc
asm
asp
cgi
con
csp
dbx
dlt
dwt
edm
hta
htc
inc
jsp
jst
lbi
php
rdf
rss
sht
ssi
stm
vbp
vbs
wml
xht
xsd
xst

It sends itself as an e-mail attachment to the harvested addresses. The e-mail's body and subject are in German. It avoids sending itself to e-mail addresses containing any of the following substrings:

admin
info
support
soft
webmaster
help
web
postmaster
root
bugs
rating
site
contact
privacy
service
abuse
register
cisco
gnu.org
bsd.it
debian
linux
berkeley
google
fido
ibm.com
microsoft.com
php.net
.mil
.gov
borland.com
sun.com
virus
kaspersky
sophos
ripe.
iana.
drweb.
secure
avp.
.arpa



Removal Instructions
For general removal instructions please click here.

Marteinn Žór Haršarson
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is