Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Win32.HLLM.Limar

(WORM_STRAT.GEN-3, WORM/Stration.Gen, Trojan:Win32/Stration.F!dll, Win32.Warezov.ZR@mm, W32/Stration.gen@MM, Email-Worm.Win32.Warezov.iq, I-Worm/Stration.DRT, Trojan:Win32/Stration, Generic.Stration.A3248805, Generic_c.DXP, Win32.Worm.Stration.QRM, Email-Worm.Win32.Warezov.nj, Trojan.Downloader.Warezov.W, Win32.Warezov.JQ@mm, Email-Worm.Win32.Warezov.aah, I-Worm/Generic.AFQ, TROJ_Generic.DIS, Win32/Stration.AS, Mal_Strat-2, Trojan.Win32.Muwid.ab, Email-Worm.Win32.Warezov.qh)

Virus description added:

Virus Type: Mass mailing worm

Affected OS: Win95/98/Me/NT/2000/XP

Size: 130 - 148 Кbyte, 10-30 Kbyte

Packed by: Upack, UPX

Technical Information

  • Worm distributes as messages with attachment.
  • Message theme can be the following:

    Server Report
    Status
    Error
    Test
    Mail Delivery System
    Mail server report.
    Mail Transaction Failed
    Good day
    picture
    Hello

  • Attachment can be in the form of ZIP-archive, EXE-file or a file with double extension.
  • Attachment name can be as the following:

    1.Update-KB[number]-х86 with ZIP or EXE extension.
    2. test, body, docs, doc, test, text, readme, file, document, data

  • Message body contains such text:

    ------------------------------------ Mail server report.
    Our firewall determined the e-mails containing worm copies are being sent from your computer.
    Nowadays it happens from many computers, because this is a new virus type (Network Worms).
    Using the new bug in the Windows, these viruses infect the computer unnoticeably.
    After the penetrating into the computer the virus harvests all the e-mail
    addresses and sends the copies of itself to these e-mail addresses
    Please install updates for worm elimination and your computer restoring.

    Best regards,
    Customers support service
    --------------------------------------
    Mail transaction failed. Partial message is available.
    -------------------------------------- The message contains Unicode characters and has been sent
    as a binary attachment.
    ---------------------------------------
    The message cannot be represented in 7-bit ASCII encoding
    and has been sent as a binary attachment
    ---------------------------------------
    Dear Sir/Madam,

    We have logged a fraud activity from the IP-address belonging to your
    computer at more than 17 Web-sites and have received abuses
    from several companies.

    The abuse copy is sent as an attachment to this letter. Please learn this.

    We have added our utilite that would help you to find and remove any spyware from your PC.
    If you were not lucky using another software, please try this one.

    Yours faithfully
    Steven Cooper
    ---------------------------------------

  • Depending on the type of message attachment the worm during its reboot perform the following: 1. Displays "Update successfully installed" (during Update-KB[number]-х86 attachment open).
    2. Starts Notepad, showing the user promiscuous set of symbols (during reboot of attachment in the form of file with double extention).
  • Depending on its modification the worm during its reboot creates the following files:

    %WinDir%\serv.exe (148 621 byte)
    %WinDir%\serv.s (148 621 byte)
    %WinDir%\system32\serv.dll (7 680 byte)
    %WinDir%\system32\e1.dll (8 704 byte)
    %WinDir%\system32\jgmdmsxm.dll (28 672 byte)
    %WinDir%\system32\netacdmo.dll (20 480 byte)
    %WinDir%\system32\tsd3rasd.exe (16 384 byte)
    %WINDIR%\System32\wupstInt.dll (28672 byte)
    %WINDIR%\System32\cssewmpd.exe (16384 byte)
    %WINDIR%\System32\regaufat.dll (24576 byte)

  • At that filenames of dynamic libraries (*.dll) are set differently – depending on the worm modification.

  • Worm masks its processes.
  • Worm ends up processes of some antivirus products and firewalls. Particularly the worm sets up automatically serv.exe application into the list of “Trusted” which is in Agnitum Outpost Firewall application list. This happens if “Training mode” policy is used.
  • Worm creates file with *.wax extension. Then it records here mail addresses which are registered in the affected system.
  • For its own further launching the worm registers itself in autoload, modifying sections in registry:

    HKEY_LOCAL_MACHINE\Microsoft\Windows\CurrentVersion\Run
    "serv" = C:\Windows\serv.exe s

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
    "AppInit_DLLs" = wupstInt.dll e1.dll

  • Worm distributes its numerous copies and connects to different servers according to the SMTP protocol.
  • System Recovery recommendations
    1.Reboot Windows OS in Safe Mode.

    2. Use Dr.Web® disk scanner or free Dr.Web® CureIT! utility to scan computer’s local disks. Use “Cure” for all infected files.
    3.Recover registry from backup copy.

    Attention! Right before item 2 you should adjust mail client so that it could store attachments as separate files and not in the mailing base body. For instance, if it is storage of attachments separately form mailing base in TheBat! mail client fix it in the following way: (Account - Properties - Files & Directories - Keep attachment files - Separately in a special directory).