Detection added	Sep 25 2006 04:02 GMT
Update released	Sep 25 2006 04:20 GMT
Description added	Sep 25 2006
Behavior	Email Worm

• Technical details
• Payload

This worm spreads via the Internet as an attachment to infected messages. It sends itself to email addresses harvested from the victim machine.

The worm itself is a Windows PE EXE file, packed using UPack. The packed file is approximately 117KB in size, and the unpacked file is approximately 470KB in size.

Installation

Once launched, the worm causes the following message to be displayed:

It then copies itself to the Windows root directory as “t2serv.exe”:

%Windir%\t2serv.exe

It also creates the following files in the Windows system and root directories:

• %System%\e1.dll (8192 bytes)
• %System%\wmnecomc.dll (24576 bytes)
• %System%\wmpcskdl.dll (20480 bytes)
• %System%\xactcomr.exe (12288 bytes)
• %Windir%\t2serv.dll (6656 bytes)
• %Windir%\t2serv.s
• %Windir%\t2serv.wax

The worm also creates the following entries in the system registry, ensuring that the worm file will be launched automatically each time Windows is rebooted on the victim machine:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"t2serv" = "%Windir%\t2serv.exe s"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs" = "wmnecomc.dll e1.dll"

Propagation via email

The worm sends itself to addresses harvested from the MS Windows address books.

The worm uses its own SMTP library to send infected messages.

Infected messages:

Examples of infected messages:

The worm downloads the following files from the URLs listed below, and then launches them for execution:

Files placed on these URLs contain other modificuations of Email-Worm.Win32.Warezov.