Win32.Tzar.A@mm

( W32/VBSun-A, Worm.Zar.A )

SYMPTOMS:

The presence of the following files in the Windows directory:

tsunami.exe
raz32.exe
crssr.exe

TECHNICAL DESCRIPTION:

The virus is a mass-mailer written in Visual Basic, 20K in size.

At runtime, it drops three files in the Windows directory (usually c:\\windows or c:\\winnt), named \"tsunami.exe\", \"raz32.exe\" and \"crssr.exe\". It adds the following registry key:

HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\CaptionMgr32 = \"%systemroot%\\crssr.exe\".

It then searches for e-mail addresses in the victim\'s Outlook address book and sends itself to those addresses in an e-mail with the following format:

Subject: Tsunami Donation! Please help!
Body: Please help us with your donation and view the attachement below! We need you!
Attachement: tsunami.exe

The virus will then attempt to perform a denial of service to the following website:
www.hacksector.de

Removal instructions:

Let Bitdefender delete the files it finds infected.

ANALYZED BY:

Daniel Ionita.
Bitdefender Virus Researcher.