Win32:Warezov family
Win32:Warezov is family of mass-mailing worms with backdoor functionality.
| Summary | |
|---|---|
| Type | Worm |
| Aliases | W32.Stration |
| Platform | Windows |
Description
When Win32:Warezov is launched, it creates several executables in %WINDOWS% and %SYSTEM% directory (count and names of the files depend on the exact version of Win32:Warezov). These files are also detected as Win32Warezov. Then, it opens Notepad and displays random characters in the text file.
Win32:Warezov sets itself to run every time Windows starts by creating a registry entry in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Win32:Warezov scans several types of files for email addresses. These addresses are then saved and used to send itself as an email attachment. Win32:Warezov sends emails with following characteristics:
- Subject (one of the following):
- Error
- Good Day
- hello
- Mail Delivery System
- Mail Transaction Failed
- picture
- Server Report
- Status
- test
- Message (one of the following):
- Mail transaction failed. Partial message is available.
- The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment
- The message contains Unicode characters and has been sent as a binary attachment.
- Attachment filename consists of three parts, each part is chosen from one column (second part is followed by blank spaces that are followed by third part). For example 'Update-KB1234-x86.msg .cmd' is one of many options.
Filename parts 1: filename 2: false ext. 3: real ext. body .dat .bat data .eml .cmd doc .log .exe docs .msg .pif document .txt .scr file message readme test text Update-KB[RANDOM NUMBER]-x86
Many variants of Win32:Warezov are capable of downloading other dangerous or unwanted applications as Trojans or Adware. Many variants may disable security related products and/or disable their updating and browsing their websites by adding lines to hosts file (e.g. ‘127.0.0.1 download.microsoft.com’).
Win32:Warezov is providing a backdoor server which allows a remote control of the computer.
Comment: %WINDOWS% refers to Windows installation folder. By default it is C:\Windows (Windows 95, 98, Me, XP) or C:\Winnt (Windows NT, 2000). %SYSTEM% refers to Windows system folder. By default it is C:\Windows\System (Windows 95, 98, Me) or C:\Winnt\system32 (Windows NT, 2000) or C:\Windows\System32 (Windows XP).
Detection/Removal
Win32:Warezov is a fast growing family. Update your VPS file regularly.
