Email-Worm.Win32.Warezov.pk

From Total Malware Info

Email-worm, which stealthy disables anti-virus software and installs different malware on the victims computer. It is Windows portable executable file. Worm executable is 19 776 bytes in size. It is packed by Upack executable packer, unpacked size is ~ 92 kilobytes.

Contents 1 Installation 2 Propagation via Email 2.1 Mail Subject 2.2 Mail Body 2.3 Attachment file name 3 Payload 3.1 Payload of the main component 4 Removal instructions

Installation

In email messages worm sends its component which downloads the file from the following link:

http://bu*********me.com/ntsrv32.exe

and saves it into temporary folder with a temporary name and then executes it.

When launched, worm displays the following message:

Then it copies main component’s executable file as:

%WinDir%\aqw.exe

and drops the following library:

%System%\e1.dll (69 632 bytes)

Then creates the following registry entries:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"aqw"="%WinDir%\aqw.exe s"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
“AppInit_DLLs”=”e1.dll”

So the worm executables would now be launched every time the windows starts.

Propagation via Email

Mail Subject

Is chosen randomly from the list below:

Mail Error
Good Day
hello
Mail Delivery System
Mail server report
Mail Transaction Failed
picture
Server Report
Status
test

Mail Body

Can be one of the folowing four variants:

Mail transaction failed. Partial message is available.

---------------------------

The message cannot be represented in 7-bit ASCII encoding and has been sent as a 
binary attachment.

----------------------------
The message contains Unicode characters and has been sent as a binary attachment.

----------------------------
Mail server report.

Our firewall determined the e-mails containing worm copies are being sent from your computer.

Nowadays it happens from many computers, because this is a new virus type (Network Worms).


Using the new bug in the Windows, these viruses infect the computer unnoticeably. After 
the penetrating into the computer the virus harvests all the e-mail addresses and sends 
the copies of itself to these e-mail addresses

Please install updates for worm elimination and your computer restoring.

Best regards,
Customers support service

Attachment file name

Worm sends in attachments of infected emails special component, which downloads the latest version of the worm from the internet and installs it into the victims machine. The attached file may have one of the following names:

Update-KB<four random digits>-x86.exe
body
data
doc
docs
document
file
message
readme
test
text
postcard
Video_fragment
Access

The extension can be “.exe” or “.txt.exe”

Payload

Payload of the main component

Creates the following files, where worm’s configuration is stored:

%WinDir%\aqw.dat
%WinDir%\aqw.s

Worm has code than terminates the processes of different anti-virus software and personal firewalls, also stops and deletes their services, leaving victim’s system vulnerable to all kinds of attacks.

Searches the hard drive for files with following extensions:

.htm
.dat
.txt

and extracts email addresses from them. All extracted addresses are then stored in file

%WinDir%\aqw.wax

and uploaded to malefactor’s site.

Worm changes the contents of the following file:

%WINDIR%\System32\drivers\etc\hosts

to redirect request to the following sites:

u4.eset.com
obru3.eset.com
www.eset.com
updates.symantec.com
symantec.com
service1.symantec.com
securityresponse.symantec.com
liveupdate.symantecliveupdate.com	
liveupdate.symantec.com	
customer.symantec.com	
ftp.kasperskylab.ru/updates
viruslist.ru	
viruslist.com	
updates4.kaspersky-labs.com
updates3.kaspersky-labs.com
updates2.kaspersky-labs.com
updates1.kaspersky-labs.com
updates4.kaspersky-labs.com
updates3.kaspersky-labs.com
updates2.kaspersky-labs.com
updates1.kaspersky-labs.com
updates.kaspersky-labs.com
downloads4.kaspersky-labs.com
downloads3.kaspersky-labs.com
downloads2.kaspersky-labs.com
downloads1.kaspersky-labs.com
downloads5.kaspersky-labs.com
kaspersky.ru
www.kaspersky-labs.com
www.avp.ru
kaspersky-labs.com	
kaspersky.com	
kaspersky.ru
www.avp.ru
avp.ru	
www.microsoft.com

to non-existing addresses and block the updates of anti-virus software.

Downloads the files from the following URLs:

http://casefu****ikions.com/st32.exe
http://casefu******kions.com/aqw32.exe

to temporary folder and then launches them.

Removal instructions

1. Using Task Manager terminate the trojan process.
2. Delete the original trojan file (its file name and location depends on the way the trojan originally penetrated the target computer).
3. Delete all infected files from the inbox folders.
4. Delete the following parameters in registry keys:

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "aqw"="%WinDir%\aqw.exe s"
   
   [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
   “AppInit_DLLs”=”e1.dll”
   

5. Delete files:

   %WinDir%\aqw.dat
   %WinDir%\aqw.s
   %WinDir%\aqw.wax
   %WinDir%\aqw.exe
   %System%\e1.dll
   

6. Restore the original content of the file:

   %WINDIR%\System32\drivers\etc\hosts
   

   Usually it contains following string:

   127.0.0.1       localhost