|
Description: It drops the following files in the Windows folder: - tsrv.dll
- tsrv.exe - copy of itself
It also drops the following files, which are also detected as WORM_STRATION.AZ, in the Windows system folder: - cmut449c14b7.dll
- hpzl449c14b7.exe
- msji449c14b7.dll
It then injects the file MSJI449C14B7.DLL into certain running processes so that it remains memory-resident on the system.
Malware Overview Upon execution, this worm displays the following message: 
This worm propagates via email. It sends a copy of itself as an attachment to email messages that it sends to target recipients. It gathers target addresses from the Windows Address Book (WAB). A sample of the email message it sends out is shown below: 
This worm uses double extension names for its attached files. The said method is this worm's attempt to trick users into thinking that the mentioned files are non-malicious. It uses its own Simple Mail Transfer Protocol (SMTP) engine to automatically send out its messages even without the use of email clients such as MS Outlook. In addtion, it masquerades as a patch from Microsoft by using the file name Update-KB{random numbers}-x86.exe. It drops files in certain folders of an affected system. The dropped files are also detected as WORM_STRATION.AZ. It also creates or modifies autostart registry entries to enable its automatic execution at every system startup. Moreover, this worm attempts to disable certain firewall applications. It also modifies the affected system's HOSTS file to prevent access to certain Web sites. It attempts to download possibly malicious files from the URL {BLOCKED}hadefunjinsa.com. The said action increases the risk of acquiring more malware threats on the affected system. MANUAL REMOVAL INSTRUCTIONS Important Windows XP Cleaning Instructions Users running Windows XP must disable System Restore to allow full scanning of infected computers. Users running other Windows versions can proceed with the succeeding solution set(s). Restarting in Safe Mode This malware has characteristics that require the computer to be restarted in safe mode. Go to this page for instructions on how to restart your computer in safe mode. Editing the Registry This malware modifies the computer's registry. Users affected by this malware may need to modify or delete specific registry keys or entries. For detailed information regarding registry editing, please refer to the following articles from Microsoft: - HOW TO: Backup, Edit, and Restore the Registry in Windows NT 4.0
- HOW TO: Backup, Edit, and Restore the Registry in Windows 2000
- HOW TO: Back Up, Edit, and Restore the Registry in Windows XP and Server 2003
Removing Autostart Entry from the Registry Removing autostart entries from the registry prevents the malware from executing at startup. If the registry entry below is not found, the malware may not have executed as of detection. If so, proceed to the succeeding solution set. - Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
- In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
Windows>CurrentVersion>Run - In the right panel, locate and delete the entry:
tsrv = "%Windows%\tsrv.exe s"
(Note: %Windows% is the default Windows folder, usually C:\Windows or C:\WINNT.)
Restoring Modified Entry from the Registry - Still in Registry Editor, in the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
Windows NT>CurrentVersion>Windows - In the right panel, locate the entry:
AppInit_DLLs = "msji449c114b7.dll" - Right-click on the said entry and choose Modify. Change the value to:
AppInit_DLLs = "" - Close Registry Editor.
Deleting the Malware File(s) - Right-click Start then click Search... or Find..., depending on the version of Windows you are running.
- In the Named input box, type:
TSRV.WAX - In the Look In drop-down list, select the drive that contains Windows, then press Enter.
- Once located, select the file then press SHIFT+DELETE.
Removing Malware Entries from the HOSTS File Deleting malware entries from the HOSTS file removes all malware-made changes on host name association. - Open the following file using a text editor (such as NOTEPAD):
%System%\drivers\etc\HOSTS
(Note: %System% is the Windows system folder, which is usually C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP and Server 2003.) - Delete the following entries:
- 127.0.0.1 download.microsoft.com
- 127.0.0.1 go.microsoft.com
- 127.0.0.1 msdn.microsoft.com
- 127.0.0.1 office.microsoft.com
- 127.0.0.1 windowsupdate.microsoft.com
- 127.0.0.1 http://www.microsoft.com/downloads/Search.aspx?displaylang=en
- 127.0.0.1 avp.ru
- 127.0.0.1 www.avp.ru
- 127.0.0.1 http://avp.ru
- 127.0.0.1 http://www.avp.ru
- 127.0.0.1 kaspersky.ru
- 127.0.0.1 www.kaspersky.ru
- 127.0.0.1 http://kaspersky.ru
- 127.0.0.1 kaspersky.com
- 127.0.0.1 www.kaspersky.com
- 127.0.0.1 http://kaspersky.com
- 127.0.0.1 kaspersky-labs.com
- 127.0.0.1 www.kaspersky-labs.com
- 127.0.0.1 http://kaspersky-labs.com
- 127.0.0.1 avp.ru/download/
- 127.0.0.1 www.avp.ru/download/
- 127.0.0.1 http://www.avp.ru/download/
- 127.0.0.1 http://www.kaspersky.ru/updates/
- 127.0.0.1 http://www.kaspersky-labs.com/updates/
- 127.0.0.1 http://kaspersky.ru/updates/
- 127.0.0.1 http://kaspersky-labs.com/updates/
- 127.0.0.1 downloads1.kaspersky-labs.com
- 127.0.0.1 downloads2.kaspersky-labs.com
- 127.0.0.1 downloads3.kaspersky-labs.com
- 127.0.0.1 downloads4.kaspersky-labs.com
- 127.0.0.1 downloads5.kaspersky-labs.com
- 127.0.0.1 http://downloads1.kaspersky-labs.com
- 127.0.0.1 http://downloads2.kaspersky-labs.com
- 127.0.0.1 http://downloads3.kaspersky-labs.com
- 127.0.0.1 http://downloads4.kaspersky-labs.com
- 127.0.0.1 http://downloads5.kaspersky-labs.com
- 127.0.0.1 downloads1.kaspersky-labs.com/products/
- 127.0.0.1 downloads2.kaspersky-labs.com/products/
- 127.0.0.1 downloads3.kaspersky-labs.com/products/
- 127.0.0.1 downloads4.kaspersky-labs.com/products/
- 127.0.0.1 downloads5.kaspersky-labs.com/products/
- 127.0.0.1 http://downloads1.kaspersky-labs.com/products/
- 127.0.0.1 http://downloads2.kaspersky-labs.com/products/
- 127.0.0.1 http://downloads3.kaspersky-labs.com/products/
- 127.0.0.1 http://downloads4.kaspersky-labs.com/products/
- 127.0.0.1 http://downloads5.kaspersky-labs.com/products/
- 127.0.0.1 downloads1.kaspersky-labs.com/updates/
- 127.0.0.1 downloads2.kaspersky-labs.com/updates/
- 127.0.0.1 downloads3.kaspersky-labs.com/updates/
- 127.0.0.1 downloads4.kaspersky-labs.com/updates/
- 127.0.0.1 downloads5.kaspersky-labs.com/updates/
- 127.0.0.1 http://downloads1.kaspersky-labs.com/updates/
- 127.0.0.1 http://downloads2.kaspersky-labs.com/updates/
- 127.0.0.1 http://downloads3.kaspersky-labs.com/updates/
- 127.0.0.1 http://downloads4.kaspersky-labs.com/updates/
- 127.0.0.1 http://downloads5.kaspersky-labs.com/updates/
- 127.0.0.1 ftp://downloads1.kaspersky-labs.com
- 127.0.0.1 ftp://downloads2.kaspersky-labs.com
- 127.0.0.1 ftp://downloads3.kaspersky-labs.com
- 127.0.0.1 ftp://downloads4.kaspersky-labs.com
- 127.0.0.1 ftp://downloads5.kaspersky-labs.com
- 127.0.0.1 ftp://downloads1.kaspersky-labs.com/products/
- 127.0.0.1 ftp://downloads2.kaspersky-labs.com/products/
- 127.0.0.1 ftp://downloads3.kaspersky-labs.com/products/
- 127.0.0.1 ftp://downloads4.kaspersky-labs.com/products/
- 127.0.0.1 ftp://downloads5.kaspersky-labs.com/products/
- 127.0.0.1 ftp://downloads1.kaspersky-labs.com/updates/
- 127.0.0.1 ftp://downloads2.kaspersky-labs.com/updates/
- 127.0.0.1 ftp://downloads3.kaspersky-labs.com/updates/
- 127.0.0.1 ftp://downloads4.kaspersky-labs.com/updates/
- 127.0.0.1 ftp://downloads5.kaspersky-labs.com/updates/
- 127.0.0.1 http://updates.kaspersky-labs.com/updates/
- 127.0.0.1 http://updates1.kaspersky-labs.com/updates/
- 127.0.0.1 http://updates2.kaspersky-labs.com/updates/
- 127.0.0.1 http://updates3.kaspersky-labs.com/updates/
- 127.0.0.1 http://updates4.kaspersky-labs.com/updates/
- 127.0.0.1 ftp://updates.kaspersky-labs.com/updates/
- 127.0.0.1 ftp://updates1.kaspersky-labs.com/updates/
- 127.0.0.1 ftp://updates2.kaspersky-labs.com/updates/
- 127.0.0.1 ftp://updates3.kaspersky-labs.com/updates/
- 127.0.0.1 ftp://updates4.kaspersky-labs.com/updates/
- 127.0.0.1 viruslist.com
- 127.0.0.1 www.viruslist.com
- 127.0.0.1 http://viruslist.com
- 127.0.0.1 viruslist.ru
- 127.0.0.1 www.viruslist.ru
- 127.0.0.1 http://viruslist.ru
- 127.0.0.1 ftp://ftp.kasperskylab.ru/updates/
- 127.0.0.1 symantec.com
- 127.0.0.1 www.symantec.com
- 127.0.0.1 http://symantec.com
- 127.0.0.1 customer.symantec.com
- 127.0.0.1 http://customer.symantec.com
- 127.0.0.1 liveupdate.symantec.com
- 127.0.0.1 http://liveupdate.symantec.com
- 127.0.0.1 liveupdate.symantecliveupdate.com
- 127.0.0.1 http://liveupdate.symantecliveupdate.com
- 127.0.0.1 securityresponse.symantec.com
- 127.0.0.1 http://securityresponse.symantec.com
- 127.0.0.1 service1.symantec.com
- 127.0.0.1 http://service1.symantec.com
- 127.0.0.1 symantec.com/updates
- 127.0.0.1 http://symantec.com/updates
- 127.0.0.1 updates.symantec.com
- 127.0.0.1 http://updates.symantec.com
- 127.0.0.1 eset.com/
- 127.0.0.1 www.eset.com/
- 127.0.0.1 http://www.eset.com/
- 127.0.0.1 eset.com/products/index.php
- 127.0.0.1 www.eset.com/products/index.php
- 127.0.0.1 http://www.eset.com/products/index.php
- 127.0.0.1 eset.com/download/index.php
- 127.0.0.1 www.eset.com/download/index.php
- 127.0.0.1 http://www.eset.com/download/index.php
- 127.0.0.1 eset.com/joomla/
- 127.0.0.1 www.eset.com/joomla/
- 127.0.0.1 http://www.eset.com/joomla/
- 127.0.0.1 u3.eset.com/
- 127.0.0.1 http://u3.eset.com/
- 127.0.0.1 u4.eset.com/
- 127.0.0.1 http://u4.eset.com/
- 127.0.0.1 www.symantec.com/updates
- Save the file and close the text editor.
Running Trend Micro Antivirus If you are currently running in safe mode, please restart your computer normally before performing the following solution. Scan your computer with Trend Micro antivirus and delete files detected as WORM_STRATION.AZ. To do this, Trend Micro customers must download the latest virus pattern file and scan their computer. Other Internet users can use HouseCall, the Trend Micro online virus scanner. |
