Virus Alert: Worm Uses Own SMTP Engine to Spread

W32/Israz-A is an email worm that spreads using its own SMTP engine. W32/Israz-A also targets the KaZaA file sharing utility. Upon execution the worm creates copies of itself in the Windows system folder with the filenames vShell.exe and Win32.exe.

The worm also creates copies of itself in the Windows temp folder using the filenames Fun.exe, FAQ.exe, Q322593.exe, Support.exe, ToolBar.exe and Wizard.exe.

W32/Israz-A extracts a freeware SMTP Component ossmtp.dll and vUser.exe, the secondary worm component, into the Windows system folder. W32/Israz-A collects email addresses from the Windows Address Book and sends itself as an attachment of an email message with certain characteristics. View them at this Sophos page.

Antivirus software vendor Trend Micro recognizes the malware as Worm_Izra. It sends an email to each contact in the Microsoft Outlook address book with any of several properties. View them at this Trend Micro page.

Worm_Spybot.Gen Both a Worm and a Backdoor

This is Trend Micro’s detection for several variants of the Spybot malware. This malware is both a worm and a backdoor. It spreads through the Kazaa peer-to-peer file sharing network. It also acts as a backdoor and connects to certain IRC or Internet Relay Chat servers.

Via IRC, it is able to receive commands from remote users to process on compromised machines. This worm runs on Windows 95, 98, ME, NT, 2000, and XP systems. Technical details are at this Trend Micro page.

Worms Have Backdoor Trojan Functionalities

W32.HLLW.Warpigs is a worm that contains backdoor Trojan functionality. It attempts to copy itself to computers that have weak administrator passwords. The existence of the file Discworld.exe is an indication of a possible infection.

The backdoor functionality is performed by connecting to a specific mIRC server and joining a specific channel to receive instructions. The default ports are 6666 and 6667.

Technical details for Warpigs are at this Symantec page.

W32.HLLW.Warpigs.B also contains backdoor Trojan functionality. It attempts to copy itself to computers that have weak administrator passwords. The backdoor functionality is performed by connecting to a specific mIRC server and joining a specific channel to receive instructions. The default ports are 6666 and 6667.

Technical details are at this Symantec page.

Worm Uses Outlook to Send Itself to All Address Book Contacts

W32.Jantic@mm is a mass-mailing worm that uses Microsoft Outlook to send itself to all the contacts in the Outlook Address Book. W32.Jantic@mm is a Visual Basic application compiled to native code.

The email has the following characteristics:

Subject: You have a ecard!
Body: You have recieved a E-Card! Check your attatchments!
Attachment: attachment.exe (36, 864 bytes)

More information is at this Symantec page.

Worm Affects all .exe Files in Current Folder

W32.Sadon.dr acts as a dropper for W32.Sadon.867, which affects all the .exe files in the current folder. Note that virus definitions dated prior to July 10, 2003 may detect this threat as W32.MutantQSix.dr.

Read more at this Symantec page.

Worm Displays Message Titled ‘Valentina’ When Run

W32.Zokrim.V@mm is a variant of W32.Zokrim@mm. This variant is also a mass-mailing worm that uses Microsoft Outlook to send itself to all the contacts in the Outlook Address Book. The worm displays a message, titled “Valentina,” when run.

The email has the following characteristics:

Subject: “” and YOU
Message: Dammi il tuo amore…..
Attachment: vale.exe

This threat is written in the Microsoft Visual Basic (VB) programming language. Technical details are at this Symantec page.

Trojan Horse Tries to Delete Files and Block Programs

W32.Laorenshen.Trojan is a Trojan horse that tries to delete files and block the use of the computer’s normal programs. It is compressed with UPX and ASPack.

Technical details are at this Symantec page.


Keylogger Tracks User Activities

Keylogger.Cone.Trojan is a keylogger that tracks various user activities. It periodically sends its tracking logs to a remote attacker using email or ftp.

Read more at this Symantec page.

This variant of W32/Lovgate bears close similarity to W32/Lovgate.j@M in that it does the following:

  • copies itself over network shares
  • mails itself, replying to unread messages in the Microsoft Outlook and Outlook Express inboxes
  • drops a backdoor component (detected as BackDoor-AQJ)
  • However, in addition this variant parasitically infects executables on the victim machine (and network drives).

    The worm replies to unread messages in the Microsoft Outlook and Outlook Express inbox. Email messages are constructed as for W32/Lovgate.f@M. Read more at this McAfee page.

    Backdoor-CY Program Performs Several Remote Functions

    This backdoor program, consists of a Client, Server, Compiler, and Binder programs.

    Server.exe — This file must be compiled first before it is used in order to work. The server executes in the background listening for remote connections from the client and processes the commands sent to it. Once the server is running on the victim machine, the hacker is able to connect (and administer that machine) using the client component.

    Client.exe — This is used by the remote user to connect to the host computer running its server component. Once connected to the host computer the remote user is able to carry out many commands.

    Compiler.exe — This program compiles the server program.

    Binder.exe (detected as a Multidropper) — This program joins different files to the server program to hide it from the host. For instance, the program binds NOTEPAD.EXE to the server component. When the targeted user executes the server program, NOTEPAD executes while the server program installs itself and runs in the background.

    More information is at this McAfee page.

    Compiled by Esther Shein.

    Get the Free Newsletter!

    Subscribe to our newsletter.

    Subscribe to Daily Tech Insider for top news, trends & analysis

    News Around the Web