Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Installation

When executed, the worm copies itself in the %windir% folder using the following filename:

serv.exe

The following files are dropped in the same folder:

serv.dll
serv.wax
serv.s
serv.z

The following files are dropped in the %system% folder:

e1.dll
rasaw32t.dll
rdpwvbsc.exe
wmisshim.dll

In order to be executed on every system start, the worm sets the following Registry entry:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"serv" = "%windir%\serv.exe s"

 

The following Registry entry is set:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs" = "rwmisshim.dll e1.dll"

 

Spreading via e-mail

E-mail addresses for further spreading are searched for in local files.
Subject of the message is one of the following:

Error
Good Day
hello
Mail Delivery System
Mail server report.
Mail Transaction Failed
picture
Server Report
Status
test

Body of the message is one of the following:

Mail transaction failed. Partial message is available.



Mail server report.

Our firewall determined the e-mails containing worm copies are being sent from your computer.

Nowadays it happens from many computers, because this is a new virus type (Network Worms).


Using the new bug in the Windows, these viruses infect the computer unnoticeably.
After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail
addresses

Please install updates for worm elimination and your computer restoring.

Best regards,
Customers support service




The message contains Unicode characters and has been sent
as a binary attachment.



The message cannot be represented in 7-bit ASCII encoding
and has been sent as a binary attachment

The attachment is either an executable of the worm, or a ZIP archive containing it. Its filename is one of the following:

body
data
doc
docs
document
file
readme
test
text
Update-KB1125-x86
Update-KB2203-x86
Update-KB2781-x86
Update-KB2812-x86
Update-KB3000-x86
Update-KB4937-x86
Update-KB5093-x86
Update-KB6375-x86
Update-KB7484-x86
Update-KB1203-x86
Update-KB1375-x86
Update-KB1656-x86
Update-KB1781-x86
Update-KB1968-x86
Update-KB2875-x86
Update-KB2937-x86
Update-KB6843-x86
Update-KB7578-x86
Update-KB7687-x86
Update-KB8203-x86
Update-KB9093-x86
Update-KB9171-x86
Update-KB9765-x86
Update-KB9812-x86

If an archive is attached, the name has the following extension:

.zip

If an executable is attached, a double extension may be used. The first one is one of the following:

.dat
.elm
.log
.msg
.txt

The second one is one of the following:

.bat
.cmd
.exe
.scr