Summary
Summary
Action- More Information
| Included in our products from | September 2003 (3.73) |
|---|---|
| Protection available since | 28 September 2003 09:47:05 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Israz-A is an email worm that spreads using its own SMTP engine. W32/Israz-A also targets the KaZaA file sharing utility.
Upon execution the worm creates copies of itself in the Windows system folder with the filenames vShell.exe and Win32.exe. The worm also creates copies of itself in the Windows temp folder using the filenames Fun.exe, FAQ.exe, Q322593.exe, Support.exe, ToolBar.exe and Wizard.exe.
W32/Israz-A extracts a freeware SMTP Component ossmtp.dll and vUser.exe, the secondary worm component, into the Windows system folder.
W32/Israz-A collects email addresses from the Windows Address Book and sends itself as an attachment of an email message with the following characteristics:
From : update@microsoft.com
Subject line: Windows Update
Message text:
Your file is attached to message.
For more information go to Windows Update http://windowsupdate.microsoft.com
Attached file: Update.exe
From: update@microsoft.com
Subject line: PS1
Message text:
Your file is attached to message.
For more information go to Windows Update http://windowsupdate.microsoft.com
Attached file: Q322593.exe
From: update@microsoft.com
Subject line: Update Your ToolBar
Message text:
Your file is attached to message.
For more information go to Windows Update http://www.google.com
Attached file: ToolBar.exe
From: help@google.com
Subject line:Auto Search Wizard
Message text:
Your file is attached to message.
For more information go to Google home page http://www.google.com
Attached file: Wizard.exe
From: copyright@yahoo-inc.com
Subject line:Yahoo FAQ
Message text:
Your file is attached to message.
For more information go to Yahoo home page http://www.yahoo.com
Attached file: FAQ.exe
From: copyright@yahoo-inc.com
Subject line:Support For Search
Message text:
Your file is attached to message.
For more information go to Yahoo home page http://www.yahoo.com
Attached file: Support.exe
W32/Israz-A searches for the default KaZaA download folder. If the folder is found, the worm creates a copy of itself using one of the following filenames:
XP Keys.exe
OfficeXP Keys.exe
NAV_2003 Crack.exe
Doom_3 Crack.exe
GTA Vice City Crack.exe
The worm also creates the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Win32
so that it contains the location of Win32.exe,
HKLM\Software\Classes\txtfile\shell\open\command\
so that it contains the location of vShell.exe
and
HKLM\Software\Symantec\ScriptBlocking
so that it contains the string "Script Blocking".
|
