- Once the virus is run, it opens a Notepad window containing garbage
- Presence of any of the next files in %WINDOWS% folder:
SERV.DLL (7,680 bytes)
SERV.EXE (148,074 bytes, a copy of the virus)
SERV.WAX (harvested e-mails are stored here)
- Presence of any of the next files in %SYSTEM% folder:
DMDLMSVF.DLL (28,672 bytes)
E1.DLL (8,704 bytes)
IISSMTXL.DLL (20,480 bytes)
VDIEALRS.EXE (16,384 bytes)
- Presence of any of the next registry keys or entries:
"AppInit_DLLs"=" dmdlmsvf.dll e1.dll"
%WINDOWS% points to "Windows" folder (or "WinNT" on some Windows NT based systems)
%SYSTEM% points to "System32" folder (or "System" folder on Windows 9x systems)
Please let BitDefender disinfect your files.
Terminate the process "serv.exe".
Delete the file "serv.exe"
Delete the registry entries and the created files (see Symptoms).
To delete e1.dll do the following:
Terminate "explorer.exe" in Task Manager and run again an "explorer" task.
Now you can delete e1.dll
This threat arrives via e-mail. The format of the e-mail is as follows:
Subject: (any of the following)
Mail Delivery System
Mail server report
Mail Transaction Failed
Mail server report.
Our firewall determined the e-mails containing worm copies are being sent from your computer.
Nowadays it happens from many computers, because this is a new virus type (Network Worms).
Using the new bug in the Windows, these viruses infect the computer unnoticeably.
After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail
Please install updates for worm elimination and your computer restoring.
Customers support service
The message cannot be represented in 7-bit ASCII encoding
and has been sent as a binary attachment
The attachment has different formats. It is either:
Update-KB<%random%>-x86.exe or Update-KB<%random%>-x86.zip
or composed from strings:
Composed: STR1.STR2.STR3 or STR1.zip
(eg: data.txt.pif, body.msg.exe, docs.zip)
Once the attachment has been run, the worm opens a Notepad window
containing garbage, creates the aforementioned files and registry keys
(see Symptoms) and starts searching for e-mail addresses which will be
stored in file SERV.WAX
It also terminates processes containing:
It has a list of urls from which it attempts to download an update. If a file
is present on any of those urls the worm downloads and executes it.
Once the e-mail harvesting is done, it attempts to send itself to those e-mail addresses.