Largest Directoty of Internet Security Software

Internet Security Threats


>> Threats >> Email-Worm.Win32.Zhelatin.au

Home

Software

Threats

Security
News

Email-Worm.Win32.Zhelatin.au

RISK LEVEL:2

This email worm is a Windows PE EXE file. It is 58,448 bytes in size.

Installation

When installing, the worm creates the following files in the Windows systemdirectory:

%System%\taskdir.exe — 58,448 bytes in size;
%System%\zlbw.dll — 46,592 bytes in size;
%System%\adir.dll — 4,608 bytes in size. This file will be detected by KasperskyAnti-Virus as Email-Worm.Win32.Banwarum.f.

In order to ensure that the worm is launched automatically each time Windowsis restarted, it registers its executable file in the system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"taskdir" = "%System%\taskdir.exe"

The worm also creates a service called "Windows update Service” whichwill load the worm’s executable file %System%\taskdir.exe.

The worm registers itself on the remote malicious user’s site and transmitsthe network address of the victim machine.

The worm then downloads a file containing the botnet configuration from theremote malicious user’s site, and saves it as %System%\log.txt. Data fromthis file will then be used to get data in order to send spam.

The worm gets the body of a spam email from the remote malicious user’ssite, together with a list of addresses to which the spam is to be sent. Itthen sends emails by creating a URL requestion to scripts on mail servers.

%System%\adir.dll is a rootkit library, which hides worm files on the harddisk, processes launched by the worm, and registry keys which contain the wormconfiguration.

The worm downloads a file from the following link:

http://81.***.26.20/cp/bin/lim

and saves it to the Windows system directory:

%System%\taskdir~.exe

It will then be launched for execution.

At the moment of writing, this link was not working.

If your computer does not have an up-to-date antivirus, or does not have anantivirus solution at all, follow the instructions below to delete the maliciousprogram:

Reboot the computer in Safe Mode (at the start of the boot sequence,press and hold F8, then choose Safe Mode from the Windows boot menu).
Delete the original worm file (the location will depend on howthe program originally penetrated the victim machine).

Delete the following files:

%System%\taskdir.exe%System%\zlbw.dll%System%\adir.dll%System%\log.txt%System%\taskdir~.exe

Delete the following system registry entry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"taskdir" = "%System%\taskdir.exe"
Update your antivirus databases and perform a full scan of thecomputer (download a trial version of Kaspersky Anti-Virus).

Printed From:http://www.viruslist.com/en/viruses/encyclopedia?virusid=152914

Similar Virus/Threat >>

Email-Worm.Win32.Warezov.lg

This modification of Warezov is a component which is used by other variantsin this family. It is a Windows DLL file. It is 364,544 bytes in size.InstallationWhen loaded, the file will check which...

Email-Worm.Win32.Warezov.ms

This worm spreads via the Internet as an attachment to infected messages.The attachment does not contain a copy of the worm, but a component which downloadsother malicious programs via the...