My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets



(W32/Areses.dr, MalwareScope.Trojan-PSW.Pinch.1, TR/Crypt.XPACK.Gen, Email-Worm.Win32.Scano.ay, WORM_SCANO.AY, EXP/Scano, Trojan.HTML.Dropper.A, W32/Areses.f, VBS/Inor, Email-Worm.Win32.Scano.gen, I-Worm/Scano, TrojanDropper:VBS/Scano.gen, WORM_SCANO.BH, VBS/Drop.Inor.CT, I-Worm/Scano.BJ, Dropper.Inor, TR/Crypt.UPKM.Gen, W32/Areses.a@MM, Worm:Win32/Scano.dr, Mal_VBSDrpr, TR/Vundo.Gen, I-Worm/Scano.BP, Generic.dw, Generic.SGO, I-Worm/Scano.AR, HTML/Drop.Scano.L)

Virus description added:

Virus Type: Mass mailing worm

Affected OS: Win95/98/Me/NT/2000/XP

Size: 17 872 byte

Packed by: No

Technical Information

  • Spreads via e-mail in form of application. Falsifies sender’s address.
  • Mail subjects and bodies are in Russian.
  • .cab archive is created as an application. This archive contains dropper of the main virus body. File name starts with "new", "me","you","cool" or "Re" and has double extension. First extension is from ".doc", ".txt",".avi", ".mpeg" list and the second one is " .cpl". Example "me.doc .cpl" inside archive.
  • Copies itself in system folder with %systemroot%\csrss.exe name (present csrss.exe is located in %systemroot%\system32\csrss.exe).
  • Loads optional processes services.exe и svchost.exe. Implants code which supports autorun record in registry and integrity of its csrss.exe carrier.
  • If virus body is deleted, it will be immediately restored from copy which is kept in the memory of services.exe process which is infected. At the same time "Windows file protection" operation is simulated.
  • Main part of the virus in svchost.exe process scans all available disks in search of mail addresses for distribution. For that it uses files with the following extensions:
    adb, .asp, .cfg, .cgi .mra, .dbx, .dhtm, .eml, .htm, .html, .jsp, .mbx, .mdx, .mht, .mmf, .msg, .nch, .ods, .oft, .php, .pl, .sht, .shtm, .stm, .tbb, .txt, .uin, .wab, .wsh, .xls, .xml, .dhtml
  • Extracted addresses shouldn’t contain the following substrings:

    "2004" "kasp" "@."
    "2005" "admin" "---"
    "2006" "icrosoft" "abuse"
    "@hotmail" "support" "panda"
    "@msn" "ntivi" "cafee"
    "@microsoft" "unix" "spam"
    "rating@" "bsd" "pgp"
    "f-secur" "linux" "@avp."
    "news" "listserv" "noreply"
    "update" "certific" "local"
    ".qmail" "torvalds@" "root@"
    ".gif" "sopho" "postmaster@"
    "anyone@" "@foo" ".0"
    "bugs@" "@iana" ".1"
    "contract@" "free-av" ".2"
    "feste" "@messagelab" ".3"
    "gold-certs@""winzip" ".4"
    "help@" "google" ".5"
    "info@" "winrar" ".6"
    "nobody@" "samples" ".7"
    "noone@" "spm111@" ".8"
    "0000" ".." ".9"

  • During launching this virus tries to download and execute directly .exe file.

    http: // / 0.exe

    or tries to get encrypted address list for further downloading:

    http: // g.php
    http: // m.php
    http: // f.php

  • In case of virtual machine detection virus opens site and completes its operation.
  • Provides its autorun during system reboot via recording in registry:

    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe Debugger = "C:\WINDOWS\csrss.exe"

  • System Recovery References

    a) Download Dr.Web CureIt! utility.
    b) Disconnect the computer from local network and/or Internet.
    c) Load Windows in "Safe mode with command prompt" mode.
    d) Enter and execute command:
    reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe" /v Debugger /f
    e) Run the
    Dr.Web CureIt! utility or antivirus disk scanner (if present). Scan directory: %SystemRoot% (C:\Windows by default). Apply "delete" action for objects infected with Win32.HLLM.Perf.