Largest Directoty of Internet Security Software

Internet Security Threats

Home Software Threats Security
News		  

Email-Worm.Win32.Warezov.lg

RISK LEVEL:2

This modification of Warezov is a component which is used by other variantsin this family. It is a Windows DLL file. It is 364,544 bytes in size.

Installation

When loaded, the file will check which process it is loaded into. If the processis called "winlogon.exe", the following files will be extracted to the Windowssystem directory:

%System%\wmvprf32.dll %System%\wmvstat.dll%System%\confwmv.dll %System%\wmvconf.exe

This files will be detected by Kaspersky Anti-Virus as other modificationsof Warezov: Email-Worm.Win32.Warezov.lf,Email-Worm.Win32.Warezov.lgand Email-Worm.Win32.Warezov.kz.

To ensure that its components are loaded when Windows is rebooted, the wormadds a link to them in the system registry key:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs" = "confwmv.dll wmvstat.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wmvdiag" = "<path and name of worm executable file>"

The worm scans open windows for fields where passwords will be entered. Itwill harvest data entered in the fields.

The worm also disables system security components by simulating a click on‘OK’ in the relevant dialogue boxes.

The worm also creates an SMTP proxy server on a random TCP port, and sendsthe IP address of the victim machine and the number of the open port to theremote malicious user’s site. It also sends the information which it harvestedto the site.

If your computer does not have an up-to-date antivirus, or does not have anantivirus solution at all, follow the instructions below to delete the maliciousprogram:

  1. Delete the original worm file (the location will depend on howthe program originally penetrated the victim machine).
  2. Delete the following files:
    %System%\wmvprf32.dll %System%\wmvstat.dll%System%\confwmv.dll %System%\wmvconf.exe
  3. Delete the following system registry key parameter:
    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "wmvdiag" = "<path and name of worm executable file>"
  4. Delete the strings "confwmv.dll" and "wmvstat.dll" from the followingsystem registry key parameter:
    [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"
  5. Update your antivirus databases and perform a full scan of thecomputer (download a trial version of Kaspersky Anti-Virus).


Printed From:http://www.viruslist.com/en/viruses/encyclopedia?virusid=151995

Similar Virus/Threat >>
  •   Email-Worm.Win32.Zhelatin.au
    • This email worm is a Windows PE EXE file. It is 58,448 bytes in size.InstallationWhen installing, the worm creates the following files in the Windows systemdirectory:%System%\taskdir.exe —...
  •   Email-Worm.Win32.Warezov.ms
    • This worm spreads via the Internet as an attachment to infected messages.The attachment does not contain a copy of the worm, but a component which downloadsother malicious programs via the...


  • Window Washer
    		•
  • symantec PCanywhere 12.0
    		•
  • Kaspersky Anti-Hacker
    		•
  • iSpyNOW
    		•
  • Diet Kaza
    		•

    Acronis Privacy Expert Suite 8.0
    (31,781KB - $29.99)
    AIM Spy Monitor 2007
    (3,145KB - $39.99)
    BlazingTools Secure Office
    (1,301KB - $54.95)
    Yahoo! Messenger Spy Monitor 2007
    (4,034KB - $39.99)
    Encrypt my Folder
    (1,530KB - $24.95)

    Cookie Cleaner   |    History Eraser   |    Popup Killer   |   Firewall   |   Antivirus   |   Security Encryption   |   UnInstaller   |   Security News
    eTrust Pestpatrol Anti-Spyware   PestPatrol 5   Ad-Aware SE Removal   Ad-Aware SE   Ad-Watch   SpyFighter Cleaner Pro   Free Adware Remover   Spy Sweeper  Webroot Spy Sweeper 
    Copyright © 2002-2007 Internet Security Software.All rights reserved.
    Directory of Internet Security Software - Cookie & Cache Cleaner, History & Evidence Eraser, Popup Killer, Firewall