Email-Worm.Win32.Warezov.nv
From Total Malware Info
IM worm, which stealthy disables anti-virus software and installs different malware on the victims computer. It is Windows portable executable file. Worm executable is 40 960 bytes in size. It is packed by Upack executable packer, unpacked size is ~ 78 kilobytes.
Contents |
Installation
Drops the following files:
- %System%\dnsamqut.dll – is 24 576 bytes in size. Detected by Kaspersky Anti-Virus as Email-Worm.Win32.Warezov.nd
- %System%\sdhccard.dll – is 24 576 bytes in size. Detected by Kaspersky Anti-Virus as Email-Worm.Win32.Warezov.nd
Changes the following registry parameter value:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] AppInit_DLLs=”dnsamqut.dll sdhccard.dll”
Propagation via ICQ
This worm is being dispatched via ICQ spam. Messages contain one of the following text string:
Check this: My party pics:
After the string follows the URL, which points to the latest worm modification. When user clicks on that link it is proposed to download and launch the file named “archive.exe”. If user downloads and launches that file, worm installs itself into user’s system and his computer becomes infected.
Payload
Worm injects its component %System%\dnsamqut.dll to the following processes:
services.exe zlclient.exe iexplore.exe mpftray.exe svchost.exe outpost.exe firefox.exe ccapp.exe zapro.exe opera.exe smc.exe
and then disables different anti-virus and personal firewall software installed on victims system.
Worm contains a large list of built-in URLs that points to files in internet for download. Worm downloads those files on the victim machines and launches them.
Removal instructions
If your computer was not protected by anti-virus software and was infected by this malware progam, to manually remove it please follow the instructions below:
- Using Task Manager terminate the trojan process.
- Delete the original trojan file (its file name and location depends on the way the trojan originally penetrated the target computer).
- Check your system for viruses using updated anti-virus definitions.
