My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Worm.Stration.BB@mm

LOW
MEDIUM
148,074 bytes

Symptoms

 

- Once the virus is run, it opens a Notepad window containing garbage

- Presence of any of the next files in %WINDOWS% folder:

SERV.DAT
SERV.DLL (7,680 bytes)
SERV.EXE (148,074 bytes, a copy of the virus)
SERV.S
SERV.WAX (harvested e-mails are stored here)
SERV.Z


- Presence of any of the next files in %SYSTEM% folder:

DMDLMSVF.DLL (28,672 bytes)
E1.DLL (8,704 bytes)
IISSMTXL.DLL (20,480 bytes)
VDIEALRS.EXE (16,384 bytes)

- Presence of any of the next registry keys or entries:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"serv"="C:\\%WINDOWS%\\serv.exe s"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=" dmdlmsvf.dll e1.dll"


where

%WINDOWS% points to "Windows" folder (or "WinNT" on some Windows NT based systems)
%SYSTEM% points to "System32" folder (or "System" folder on Windows 9x systems)

 

 

Removal instructions:

 

Please let BitDefender disinfect your files.

 

Manual removal:

Terminate the process "serv.exe".

Delete the file "serv.exe"

Delete the registry entries and the created files (see Symptoms).

To delete e1.dll do the following:

Terminate "explorer.exe" in Task Manager and run again an "explorer" task.

Now you can delete e1.dll



Analyzed By

Patrik Vicol, virus researcher

Technical Description:

 

This threat arrives via e-mail. The format of the e-mail is as follows:

Subject: (any of the following)

Error
Good day
hello
Mail Delivery System
Mail server report
Mail Transaction Failed
picture
Server Report
Status


Body:

Mail server report.

Our firewall determined the e-mails containing worm copies are being sent from your computer.

Nowadays it happens from many computers, because this is a new virus type (Network Worms).

Using the new bug in the Windows, these viruses infect the computer unnoticeably.

After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail
addresses

Please install updates for worm elimination and your computer restoring.

Best regards,
Customers support service

or

The message cannot be represented in 7-bit ASCII encoding
and has been sent as a binary attachment


Attachment:
The attachment has different formats. It is either:

Update-KB<%random%>-x86.exe or Update-KB<%random%>-x86.zip

(eg: Update-KB8328-x86.exe)

or composed from strings:

STR1:
body
data
doc
docs
document
file
message
readme
test
text

STR2
dat
elm
log
msg
txt

STR3
bat
cmd
exe
pif
scr

Composed: STR1.STR2.STR3 or STR1.zip

(eg: data.txt.pif, body.msg.exe, docs.zip)


Once the attachment has been run, the worm opens a Notepad window
containing garbage, creates the aforementioned files and registry keys
(see Symptoms) and starts searching for e-mail addresses which will be
stored in file SERV.WAX

It also terminates processes containing:

alunotify
wuauserv
drwebupw
nod32krn
wuauclt1
upgrader
mcupdate
NOD32krn
autodown
spiderml
avgupsvc
avginet
sndsrvc
ndetect
SNDSrvc
aupdate
wupdmgr
wuauclt
luinit
kavsvc
lsetup
lucoms
kavsvc
tbmon
luall



It has a list of urls from which it attempts to download an update. If a file
is present on any of those urls the worm downloads and executes it.

Once the e-mail harvesting is done, it attempts to send itself to those e-mail addresses.