Win32:Warezov family

Win32:Warezov is family of mass-mailing worms with backdoor functionality.

Summary
Type Worm
Aliases W32.Stration
Platform Windows

Description

When Win32:Warezov is launched, it creates several executables in %WINDOWS% and %SYSTEM% directory (count and names of the files depend on the exact version of Win32:Warezov). These files are also detected as Win32Warezov. Then, it opens Notepad and displays random characters in the text file.

Win32:Warezov sets itself to run every time Windows starts by creating a registry entry in 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Win32:Warezov scans several types of files for email addresses. These addresses are then saved and used to send itself as an email attachment. Win32:Warezov sends emails with following characteristics:

  1. Subject (one of the following):
    • Error
    • Good Day
    • hello
    • Mail Delivery System
    • Mail Transaction Failed
    • picture
    • Server Report
    • Status
    • test
  2. Message (one of the following):
    • Mail transaction failed. Partial message is available.
    • The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment
    • The message contains Unicode characters and has been sent as a binary attachment.
  3. Attachment filename consists of three parts, each part is chosen from one column (second part is followed by blank spaces that are followed by third part). For example 'Update-KB1234-x86.msg .cmd' is one of many options.
    Filename parts
    1: filename 2: false ext. 3: real ext.
    body .dat .bat
    data .eml .cmd
    doc .log .exe
    docs .msg .pif
    document .txt .scr
    file    
    message    
    readme    
    test    
    text    
    Update-KB[RANDOM NUMBER]-x86    

Many variants of Win32:Warezov are capable of downloading other dangerous or unwanted applications as Trojans or Adware. Many variants may disable security related products and/or disable their updating and browsing their websites by adding lines to hosts file (e.g. ‘127.0.0.1 download.microsoft.com’).

Win32:Warezov is providing a backdoor server which allows a remote control of the computer.

Comment: %WINDOWS% refers to Windows installation folder. By default it is C:\Windows (Windows 95, 98, Me, XP) or C:\Winnt (Windows NT, 2000). %SYSTEM% refers to Windows system folder. By default it is C:\Windows\System (Windows 95, 98, Me) or C:\Winnt\system32 (Windows NT, 2000) or C:\Windows\System32 (Windows XP).

Detection/Removal

Win32:Warezov is a fast growing family. Update your VPS file regularly.

Virus
Virus "in the Wild" Virus Windows Vecchi virus windows 2002 Vecchi virus windows 2001 Vecchi virus windows 2000 Virus Script Macro virus Riassunto Virus Pagina revisione Virus Eicar Test File Storia VPS
Servizi Abbonamento
Servizio abbonamento VPS (iAVS)
avast! Virus Cleaner
Home pageWeb site mapPrint this pagePrivacy policy
Copyright © 1988 - 2008 ALWIL Software a.s.
Virus  windows viruses  Win32:Warezov family