Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Installation

When executed, the worm copies itself in the

%windir%

folder using the following name:

serrv.exe

The following files are dropped in the same folder:

serrv.wax

serrv.s

The following file is dropped in the %system% folder:

e1.dll

The library is loaded and injected in the following process:

explorer.exe

In order to be executed on every system start, the worm sets the following Registry entry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"serrv" = "%windir%\serrv.exe s"

 

The following Registry entry is set:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs" = "e1.dll"

 

Spreading via e-mail

E-mail addresses for further spreading are searched for in local files with one of the following extensions:

.adb
.asp
.cfg
.cgi
.dbx
.dhtm
.eml
.htm
.html
.jsp
.mbx
.mdx
.mht
.mmf
.msg
.nch
.ods
.oft
.php
.pl
.sht
.shtm
.stm
.tbb
.txt
.uin
.wab
.wsh
.xls
.xml

Addresses containing the following strings are avoided:

.edu
.gov
.mil
@avp
@foo
admin
anyone@
apache
berkeley
bsd
bugs@
cafee
certific
contact
contract@
example
fido
ftp
gnu
gold-certs
google
help
help@
ibm.com
icrosoft
info@
kasp
kernel
linux
local
master
mozilla
mydomai
news
nobody
noone
noreply
panda
pgp
privacy
rating
rfc-ed
ripe.
root@
samples
secure
sendmail
service
somebody
someone
spam
support
unix
update
update
usenet
user
winrar
winzip
www
x
xx
you
your

Strings from the following 4 lists may be used to form the sender address:

sec
serv
secur
adam
alice
anna
betty
bob
brenda
brent
brian
carol
claudia
craig
cyber
dan
dave
david
debby
den
Donn
frank
george
gerhard
helen
james
jane
jayson
jerry
jim
joe
john
karen
linda
lisa
mancy
maria
ruth
sandra
sharon
Susan
adams
allen
anderson
baker
carter
clark
garcia
gonzalez
green
hall
harris
hernandez
hill
jackson
jeremy
joe
kenneth
king
lee
lewis
lopez
martin
martinez
miller
molly
moore
nelson
robinson
robyn
rodriguez
scott
shaan
taylor
thomas
thompson
walker
white
wilson
wright
young
areainc.com
elamex.com
fcradio.net
firstclassmoving.com
gametemple.com
guierfence.com
heatwave.com
iinet.net.au
logoluso.com
megaman.com
midmich.net
motorsportwarehouse.com
niet.com
phazen.net
selectplans.com
scholzes.com
sycamorepd.com
telcan.com
tjh.com
vieng.com

Subject of the message is one of the following:

Mail server report.
Server Report
Mail Delivery System
test
picture
hello
Status
Error
Good day
Mail Transaction Failed

Body of the message is one of the following:

Mail transaction failed. Partial message is available.




The message contains Unicode characters and has been sentas a binary attachment.




The message cannot be represented in 7-bit ASCII encodingand has been sent as a binary attachment




Mail server report.

Our firewall determined the e-mails containing worm copies are being sent from your computer.

Nowadays it happens from many computers, because this is a new virus type (Network Worms).

Using the new bug in the Windows, these viruses infect the computer unnoticeably.
After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail
addresses

Please install updates for worm elimination and your computer restoring.

Best regards,
Customers support service

The attachment is either an executable of the worm, or an archive containing it. Its filename is one of the following:

body
data
doc
docs
document
file
message
readme
test
text
Update-KB-%variable%-x86

The %variable% stands for a variable 4 digit number.

If an executable is attached, a double extension may be used. The first is one of the following:

.dat
.doc
.elm
.log
.msg
.txt

The second is one of the following:

.bat
.cmd
.exe
.pif
.scr

If an archive is attached, the name has the following extension:

.zip

Other information

The worm terminates processes with any of the following strings in the name:

nod32krn
avginet
avgupsvc
kavsvc
sndsrvc
wupdmgr
upgrader
drwebupw
spiderml
autodown
kav
aupdate
lucoms
luall
ndetect
alunotify
lsetup
luinit
mcupdate
tbmon
wuauclt
wuauclt1
NOD32krn
kavsvc
SNDSrvc
wuauserv
explorer

The worm tries to download a file from the Internet. The file is then executed.