Subscriptions | RSS Feeds | Discussions | Polls | Site Map




All Threats

Viruses

Hackers

Spam
Whole site    Viruses
  
Virus Encyclopedia
Riskware
Alerts
Analysis
News
Glossary
Weblog


Malware Environment
Malware Descriptions
Who Creates Malware
History of Malware
Malware Trends
If Your Computer Is Infected

 
Malware Description Search

 

  Home / Viruses / Virus Encyclopedia / Malware Descriptions / Network Worms / Email Worms

Email-Worm.Win32.Zhelatin.u

Other versions: .a, .ab, .au, .ch, .db, .o, .t, .v

Detection added Feb 08 2007 16:17 GMT
Description added Feb 09 2007
Behavior Email Worm

Technical details

This email worm is a Windows PE EXE file. It can vary from 6KB to 54KB in size. It is packed using UPX.

Installation

When installing, the worm creates the following files in the Windows system directory:

  • %System%\adirss.exe – 6038 bytes in size.
  • %System%\taskdir.exe – 54166 bytes in size.
  • %System%\zlbw.dll – 46592 bytes in size.
  • %System%\adir.dll – 4608 bytes in size. This file will be detected by Kaspersky Anti-Virus as Email-Worm.Win32.Banwarum.f.

In order to ensure that the worm is launched automatically each time Windows is restarted, it registers its executable file in the system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
sysinter="%System%\adirss.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
taskdir="%System%\taskdir.exe"

It creates the following registry key:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\adir]

which will load %System%\adir.dll each time Windows is rebooted.

The worm adds a rule to the system firewall which permits activity from the worm's executable file. In order to do this, it executes the following command:

netsh firewall set allowedprogram %System%\adirss.exe enable

The worm also creates a service called "Windows update Service” which will load the worm’s executable file %System%\taskdir.exe

Payload

The adirss.exe process launches an SMTP proxy server on TCP port 25. This enables a remote malicious user to use the infected machine as part of a botnet to send spam.

The worm will then register itself on the remote malicious user’s site, transmitting the network address of the victim machine.

The worm then downloads a file containing the botnet configuration from the remote malicious user’s site, and saves it as %System%\log.txt. Data from this file will then be used to get data in order to send spam.

%System%\adir.dll is a rootkit library, which hides worm files on the hard disk, processes launched by the worm, and registry keys which contain the worm configuration.

The worm downloads a file from the following link:

http://***cp/bin/lim

and saves it as: 

%System%\taskdir~.exe

The file is then launched for execution.

At the moment of writing, this link was not working.

Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

  1. Reboot the computer in Safe Mode.
  2. Delete the following files: 
    %System%\adirss.exe
%System%\taskdir.exe
%System%\zlbw.dll
%System%\adir.dll
%System%\log.txt
%System%\taskdir~.exe
  3. Delete the following system registry key parameters:

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    sysinter="%System%\adirss.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    taskdir="%System%\taskdir.exe"

  4. Delete the following registry key:
    [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\adir]
  5. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
 

Copyright © 1996 - 2010
Kaspersky Lab
Industry-leading Antivirus Software
All rights reserved
 

Email: webmaster@viruslist.com