Win32.Worm.Stration.BB@mm
- Once the virus is run, it opens a Notepad window containing garbage
- Presence of any of the next files in %WINDOWS% folder:
SERV.DAT
SERV.DLL (7,680 bytes)
SERV.EXE (148,074 bytes, a copy of the virus)
SERV.S
SERV.WAX (harvested e-mails are stored here)
SERV.Z
- Presence of any of the next files in %SYSTEM% folder:
DMDLMSVF.DLL (28,672 bytes)
E1.DLL (8,704 bytes)
IISSMTXL.DLL (20,480 bytes)
VDIEALRS.EXE (16,384 bytes)
- Presence of any of the next registry keys or entries:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"serv"="C:\\%WINDOWS%\\serv.exe s"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=" dmdlmsvf.dll e1.dll"
where
%WINDOWS% points to "Windows" folder (or "WinNT" on some Windows NT based systems)
%SYSTEM% points to "System32" folder (or "System" folder on Windows 9x systems)
Please let BitDefender disinfect your files.
Manual removal:
Terminate the process "serv.exe".
Delete the file "serv.exe"
Delete the registry entries and the created files (see Symptoms).
To delete e1.dll do the following:
Terminate "explorer.exe" in Task Manager and run again an "explorer" task.
Now you can delete e1.dll
This threat arrives via e-mail. The format of the e-mail is as follows:
Subject: (any of the following)
Error
Good day
hello
Mail Delivery System
Mail server report
Mail Transaction Failed
picture
Server Report
Status
Body:
Mail server report.
Our firewall determined the e-mails containing worm copies are being sent from your computer.
Nowadays it happens from many computers, because this is a new virus type (Network Worms).
Using the new bug in the Windows, these viruses infect the computer unnoticeably.
After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail
addresses
Please install updates for worm elimination and your computer restoring.
Best regards,
Customers support service
or
The message cannot be represented in 7-bit ASCII encoding
and has been sent as a binary attachment
Attachment:
The attachment has different formats. It is either:
Update-KB<%random%>-x86.exe or Update-KB<%random%>-x86.zip
(eg: Update-KB8328-x86.exe)
or composed from strings:
STR1:
body
data
doc
docs
document
file
message
readme
test
text
STR2
dat
elm
log
msg
txt
STR3
bat
cmd
exe
pif
scr
Composed: STR1.STR2.STR3 or STR1.zip
(eg: data.txt.pif, body.msg.exe, docs.zip)
Once the attachment has been run, the worm opens a Notepad window
containing garbage, creates the aforementioned files and registry keys
(see Symptoms) and starts searching for e-mail addresses which will be
stored in file SERV.WAX
It also terminates processes containing:
alunotify
wuauserv
drwebupw
nod32krn
wuauclt1
upgrader
mcupdate
NOD32krn
autodown
spiderml
avgupsvc
avginet
sndsrvc
ndetect
SNDSrvc
aupdate
wupdmgr
wuauclt
luinit
kavsvc
lsetup
lucoms
kavsvc
tbmon
luall
It has a list of urls from which it attempts to download an update. If a file
is present on any of those urls the worm downloads and executes it.
Once the e-mail harvesting is done, it attempts to send itself to those e-mail addresses.
SHARE
THIS ON