Virus Type: Mass mailing worm
Affected OS: Win95/98/Me/NT/2000/XP
Size: 130 - 148 Кbyte, 10-30 Kbyte
Packed by: Upack, UPX
Server Report
Status
Error
Test
Mail Delivery System
Mail server report.
Mail Transaction Failed
Good day
picture
Hello
1.Update-KB[number]-х86 with ZIP or EXE extension.
2. test, body, docs, doc, test, text, readme, file, document, data
------------------------------------
Mail server report.
Our firewall determined the e-mails containing worm copies are being sent from your computer.
Nowadays it happens from many computers, because this is a new virus type (Network Worms).
Using the new bug in the Windows, these viruses infect the computer unnoticeably.
After the penetrating into the computer the virus harvests all the e-mail
addresses and sends the copies of itself to these e-mail addresses
Please install updates for worm elimination and your computer restoring.
Best regards,
Customers support service
--------------------------------------
Mail transaction failed. Partial message is available.
--------------------------------------
The message contains Unicode characters and has been sent
as a binary attachment.
---------------------------------------
The message cannot be represented in 7-bit ASCII encoding
and has been sent as a binary attachment
---------------------------------------
Dear Sir/Madam,
We have logged a fraud activity from the IP-address belonging to your
computer at more than 17 Web-sites and have received abuses
from several companies.
The abuse copy is sent as an attachment to this letter. Please learn this.
We have added our utilite that would help you to find and remove any spyware from your PC.
If you were not lucky using another software, please try this one.
Yours faithfully
Steven Cooper
---------------------------------------
2. Starts Notepad, showing the user promiscuous set of symbols (during reboot of attachment in the form of file with double extention).
%WinDir%\serv.exe (148 621 byte)
%WinDir%\serv.s (148 621 byte)
%WinDir%\system32\serv.dll (7 680 byte)
%WinDir%\system32\e1.dll (8 704 byte)
%WinDir%\system32\jgmdmsxm.dll (28 672 byte)
%WinDir%\system32\netacdmo.dll (20 480 byte)
%WinDir%\system32\tsd3rasd.exe (16 384 byte)
%WINDIR%\System32\wupstInt.dll (28672 byte)
%WINDIR%\System32\cssewmpd.exe (16384 byte)
%WINDIR%\System32\regaufat.dll (24576 byte)
At that filenames of dynamic libraries (*.dll) are set differently – depending on the worm modification.
HKEY_LOCAL_MACHINE\Microsoft\Windows\CurrentVersion\Run
"serv" = C:\Windows\serv.exe s
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
"AppInit_DLLs" = wupstInt.dll e1.dll
2. Use Dr.Web® disk scanner or free Dr.Web® CureIT! utility to scan computer’s local disks. Use “Cure” for all infected files.
3.Recover registry from backup copy.
Attention! Right before item 2 you should adjust mail client so that it could store attachments as separate files and not in the mailing base body. For instance, if it is storage of attachments separately form mailing base in TheBat! mail client fix it in the following way: (Account - Properties - Files & Directories - Keep attachment files - Separately in a special directory).