Detection added	Jan 19 2007 23:23 GMT
Description added	Jan 31 2007
Behavior	Email Worm
Platform	Win32

• Technical details
• Payload
• Removal instructions

This worm spreads via the Internet as an attachment to infected messages. Infected messages will be sent to all email addresses harvested from the victim machine.

The worm itself is a Windows PE EXE file. The file size may vary significantly. The file is packed using UPX.

Installation

When installing, the worm copies itself (with the attribute ‘hidden’) to the Windows system directory as “alsys.exe”:

It then creates the following entries in the system registry:

This ensures that the worm will be launched each time Windows is booted on the victim machine.

The worm creates a file with a random name in the current directory. This file will be detected by Kaspersky Anti-Virus as Trojan-Proxy.Win32.Lager.dp

The worm also creates the following files in the Windows system directory:

wincom32.sys is a Rootkit library which will be loaded as a service driver and which works at kernel level. This program is designed to hide the presence of worm files on the hard disk and to mask entries in the system registry.

The Trojan also creates a unique identifier, “klllekkdkkd” to flag its presence in the system.

The worm also changes the following system registry entry in order to block “Windows Firewall/Internet Connection Sharing (ICS)”:

Propagation via email

Infected messages will be sent to all email addresses harvested from the victim machine.

In order to send messages the worm attempts to establish a direct connection to the recipient's SMTP server.

Infected messages:

Examples of infected messages:

Message subject (chosen at random from the list below):

• 5 Reasons I Love You
• A Bouquet of Love
• A Day in Bed Coupon
• A Hug & Roses
• A Kiss for You
• A Kiss So Gentle
• A Little (sex) Card
• A Monkey Rose for You
• A Red Hot Kiss
• A Relaxing Coupon
• A Romantic Place
• A Song to You
• A Special Flower for You
• A Special Kiss
• A Sweet Love
• A Token of My Love
• A Weekend Getaway
• Against All Odds
• All For You
• All That Matters
• Angel of Love
• Awaiting Your Love
• Baby, I'll Be There
• Back Together
• Between Us
• Bewitching Moonlight
• Brand New Love
• Breakfast in Bed Coupon
• Bubble Bath Coupon
• Can't Wait to See You!
• Crazy way to say I Luv U
• Cuddle Me Please
• Cuddle Up
• Cyber Love
• Dancing With You
• Dinner Coupon
• Doing It for You
• Dream Date Coupon
• Dream Girl
• Emptiness Inside Me
• Eternity of Your Love
• Evening Romance
• Every Inch of Your Body
• Everyone Needs Someone
• Falling In Love with You
• Feeling Horny?
• Fields Of Love
• For Better of For Worse
• For You
• For You....My Love
• Forever and Ever
• Forever in Love
• From this day forward
• Full Heart
• Hand in Hand
• Hand in Hand
• He Blessed Our Lives
• Heart is Breaking
• Heart of Mine
• Hey Cutie
• Hold Me (distant love)
• Hold On
• How Much I Love You
• Hugging My Pillow
• I Always Knew
• I am Complete
• I Am Lost In You
• I Believe
• I Can't Function
• I Dream of you
• I Give to You
• I Love Thee
• I Love Thee
• I Love You Mower
• I Love You So
• I Love You Soo Much
• I Love You with All I Am
• I Still Love You
• I Think of You
• I Win with You
• I wish
• I Woof You
• I Would Do Anything
• I Would Give you Anything
• If I Could
• If I Knew
• I'll Be Your Man
• In Love
• In My Heart
• Inside My Heart
• Internet Love
• It's Your Move
• Just You
• Just You & Me
• Kiss Coupon
• Kisses, Hugs & Roses
• Last Night was Hot!
• Let's Get Frisky
• Live With Me
• Longing for You
• Love at First Sight
• Love Birds
• Love for Granted
• Love is in the Air
• Love Remains
• Love You Deeply
• Made for Each Other
• Magic of Flowers
• Massage Coupon
• Memories
• Miracle of Love
• Miracle of Love
• Moonlit Waterfall
• Most Beautiful Girl
• My Eye on You
• My Heart belongs to you
• My Heart is Thinking
• My Invitation
• My Love
• My Perfect Love
• Now and Forever
• Now I Know
• Old Together
• Only You
• Our Love
• Our Love Everyday
• Our Love is Free
• Our Love is Strong
• Our love is torn by miles
• Our Love Nest
• Our Love Will Last
• Our Two Hearts
• Our Wedding Day
• P.M.S
• Passionate Kiss
• Peek-A-Boo
• Pockets of Love
• Puppy Love
• Red Rose
• Romantic Picnic Coupon
• Rose for my Love
• Safe and Sound
• Safe With You
• Search for One
• Sending Kiss
• Sending You My Love
• Sending You My Love
• Showers Of Love
• So in Love
• So in Love
• So Unique
• Solitary Beauty
• Someone at Last
• Soul Mates
• Soul Partners
• Steamy Dream
• Steamy Sex Coupon
• Summer Love
• Take My Hand
• Teddy Bear & Roses
• Tender Whispers
• Thanks...Love
• That Special Love
• The Candle's Light
• The Dance of Love
• The Kiss
• The Letter
• The Long Haul
• The Love Bugs
• The Miracle of Love
• The Mood for Love
• The Mood for Love
• The Sweet Taste of Love
• The Time for Love
• Thinking about you
• Thinking of You
• This Day Forward
• This Feeling
• Til the End of Time
• Till Morning's Light
• Till Morninig's Light
• Times Are Hard, I Luv U
• To New Spouse
• Together Again
• Together You and I
• Touched by Love
• True Love
• Trunk Full Of Love
• Twice Blest
• Twilight Paradise
• Two of a Kind
• Unique Love
• Unmatchable Beauty
• Until the Day
• Vacation Love
• Waiting for You
• Want to Meet?
• Want You to Know
• We Are Different
• We Have Walked
• We're a Perfect Fit
• When I look at you
• When I'm With You
• When I'm With You
• When You Fall in Love
• Why I Love You
• Wild Nights--Wild Nights
• Will You?
• Window of Beauty
• Wine and Roses
• Wish I Could Tell You
• Wish Upon a Star
• With All My Love
• With All of My Heart
• With This Ring
• Without Your Love
• Won't you dance with me
• Words I Write
• Worthy of You
• Wrapped in Your Arms
• Wrapped Up
• You + Me
• You and I
• You and I Forever
• You Are My Guiding Star
• You are out of this world
• You Asked Me Why
• You Brighten My Day
• You Lucky Duck!
• You Rock Me!
• You Were Worth the Wait
• Your Love Has Opened
• Your Silly Smile
• You're My Hero
• You're so Far Away
• You're Soo kissable
• You're the One

Attachment name (chosen at random from the list below):

• flash postcard.exe
• Flash Postcard.exe
• Greeting Card.exe
• greeting card.exe
• Greeting Postcard.exe
• greeting postcard.exe
• Postcard.exe
• postcard.exe

The worm attempts to terminate processes if the name of the process contains one of the strings listed below:

• regedit.exe
• anti
• avg
• avp
• blackice
• firewall
• f-pro
• hijack
• lockdown
• mcafee
• msconfig
• nav
• nod32
• rav
• reged
• spybot
• taskmgr
• troja
• viru
• vsmon
• zonea

If the worm finds files with an .exe or a .scr extension on the victim machine, the worm will copy itself to the directory where the file is located under a randomly generated name with the attribute hidden: <random file name>.t. The worm then infects the file it found by adding its code to this file and changing the entry point, ensuring that when the executable file is launched, the copy of the worm will be launched first.

Detection for this version of the worm were added to the Kaspersky Anti-Virus databases as an urgent update.

If you have Kaspersky Anti-Virus 6.0, and Proactive Protection is enabled, this worm will be detected without the need to update antivirus databases.

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

1. Reboot the computer in Safe Mode (at the start of the boot sequence, press and hold F8, then choose Safe Mode from the Windows boot menu).
2. Delete the original worm file (the location will depend on how the program originally penetrated the victim machine).
3. Delete the following files:
   %System%\alsys.exe
   %System%\wincom32.ini
   %System%\wincom32.sys
4. Delete all copies of the worm.
5. Delete the following system registry entries:
   [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   "Agent" = "%System%\alsys.exe…"

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "Agent" = "%System%\alsys.exe…"

6. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).