Detection added	Apr 20 2006 22:16 GMT
Update released	Apr 20 2006 22:42 GMT
Description added	May 15 2006
Behavior	Email Worm

• Technical details
• Removal instructions

This worm spreads via the Internet as an attachment to infected emails. It sends itself to email addresses harvested from the victim machine. The attachment to infected messages does not contain a copy of the worm, but an HTA component, which contains the worm's executable file.

The worm itself is a Windows PE EXE file approximately 18KB in size.

Installation

When installing, the worm copies itself to the Windows root directory as csrss.exe:

The worm then creates the following entries in the Windows system registry:

Propagation via email

The worm harvests addresses from the MS Windows address books and also from files with the extensions listed below:

adb
asp
cfg
cgi
dbx
dhtm
dhtml
eml
htm
html
jsp
mbx
mdx
mht
mmf
mra
msg
nch
ods
oft
php
pl
sht
shtm
stm
tbb
txt
uin
wab
wsh
xls
xml

The worm does not harvest addresses which contain the following strings:

0
2003
2004
2005
2006
---
.0
.00
.1
.2
.3
.4
.5
.6
.7
.8
.9
.gif
.qmail
@avp.
@example.
@foo
@iana
@messagelab
@microsoft
@subscribe
abuse
admin
anyone@
bsd
bugs@
cafee
certific
contract@
feste
free-av
f-secur
gold-certs@
google
help@
icrosoft
info@
kasp
linux
listserv
local
Mailer-Daemon@
news
nobody@
noone@
noreply
ntivi
panda
pgp
postmaster@
rating@
root@
samples
sopho
spam
spm111@
support
torvalds@
unix
update
winrar
winzip

The worm attempts to establish a direct connection to the recipient's SMTP in order to send infected messages.

Infected messages

Examples:

Message subject

The message subject will be chosen at random from a list of 14 possible variants, all of which are in Russian.

Message body

The message body will be chosen at random from a list of 14 variants, all of which are in Russian.

Attachment name

The attachment does not contain a copy of the worm, but a polymorphic HTA component, which contains the worm's executable file. When the attached file is launched, it will create a file called ntldr.exe in the C:\ root directory, which will then be launched for execution. It is this file which is a copy of the worm.

Attachment name

The attachment name is chosen at random from a list of 9 variants, all of which are in Russian.

Payload

The worm connects to the following servers in order to download other files without the user's knowledge or consent:

http://207.**.250.119
http://84.**.161.192
http://85.249.**.35

1. Reboot the computer in Safe Mode (at the beginning of the boot sequence, press and hold F8, then choose Safe Mode from the Windows boot menu).
2. Delete the following records from the system registry:

   [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe]
    "Debugger"="%Windir%\csrss.exe"

   [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
    "Application"="%Windir\csrss.exe"

3. Delete the following files:

   %Windir%\csrss.exe
   C:\ntldr.exe

4. Reboot the computer as normal and check that you have deleted all infected messages from all mail folders.
5. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).