This is a generic description of the Warezov family of Worms. This document is meant to describe a greater group of malicious software and does not provide details about specific variants nor specific removal instructions. For greater details about specific variants, please see specific documentation on those variants.

The Worm uses its own SMTP engine to mass-mail itself to e-mail addresses harvested from victim machine. Usually arrives as an attachment to e-mail with various file extensions and could be packed with various packers/compressors/encryptors. It affects most Windows systems including Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, and Windows XP. The Worm is written in Microsoft Visual C++ and also includes the ability to connect to a remote web server in order to download a file.

When executed

The Worm copies itself to the Windows System directory (%System%) or the Windows directory (%Windir%) using various file names, and could drop several files. Some of these could be:

%Windir%\rsmb.exe

%Windir%\rsmb.dll

%Windir%\rsmb.wax

%Windir%\rsmb.gfx

%Windir%\tsrv.dll

%Windir%\svchost32.exe

%System%\acac.dll

%System%\corpdpvv.exe

%System%\d3diusp1.dll

%System%\fldrtsd3.dll

%System%\sisbmsxb.dll

It may drop a random text file ~[RANDOM NUMBER].tmp containing random characters which it later displays using notepad.exe

It may drop multiple copies of itself using filenames with double extension in the user's temp folder.

For example: %Userprofile%\Local Settings\Temp\document.txt                          .cmd

Note: the file has double extensions separated by multiple spaces.

(NOTE: %System% refers to the local Windows system directory. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP)).

(NOTE: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt).

Creates a registry entry in one or both of the registry keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run,

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

so the Worm executes every time Windows restarts. The entry could be something like:

  "rsmb" = "%Windir%\rsmb.exe s" or “tsrv” = “%Windir%\tsrv.exe s”

The Worm adds the following registry sub-key, so that it starts each time Windows restarts:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\acac

Creates a registry entry in:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows

to inject a DLL into program executables when they are started. The entry could be something like:

"AppInit_DLLs" = " sisbmsxb.dll fldrtsd3.dll"

The Worm may mark itself for deletion the next time Windows starts via the registry key:

HKEY_LOCAL_MACHINE\System\ControlSet\Control\Session Manager

The entry could be something like: "PendingFileRenameOperations" =  "%Windir%\svchost32.exe"

It may try connecting to a remote web-server in order to download a file (probably to execute code or update itself). These could be the following (or any other):

[http://]strationee.com/chr/

[http://]gadesunheranwui.com/chr/

The Worm then harvests e-mail addresses from victim machine’s Windows Address Book (WAB). It tries to search for files with the following extensions: .xml, .xls, .wsh, .wab, .uin, .txt, .tbb, .stm, .shtm, .sht, .php, .oft, .ods, .nch, .msg, .mmf, .mht, .mdx, .mbx, .jsp, .html, .htm, .eml, .dhtm, .dbx, .cgi, .cfg, .asp, .adb.

It then sends itself to these e-mail ids using its own SMTP engine, with various subject lines and file names.  The filename is usually followed by one of the following extensions: .log, .elm, .msg, .txt, .dat, and these may then be followed by multiple spaces and then by one of the following extensions: .bat, .cmd, .scr, .exe, .pif.

It may modify the HOSTS file to prevent access to certain security related and anti-virus related sites.

Removal and Recommendations

Command Anti-Virus for Windows (CSAV) detects and disinfects this threat as W32/Warezov with definition files dated 08/15/2006. Please upgrade to latest release of scan-engine (CSAV 4.93.8) and update your definition files to most current.

Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.

Do not open unknown and unexpected attachments.

Do not execute software that is downloaded from the Internet unless it has been scanned for viruses.

Fully patch your system with the latest hot-fixes and security update patches available. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.