How to delete Win32.Warezov - Removal tool, fix instructions

Name: Email-Worm.Win32.Warezov

Aliases: WORM_STRATION.BB, W32/Stration-X, Warezov

Type: Worm

Size: The packed file is approximately 117KB in size, and the unpacked file is approximately 470KB in size.

First appeared on: 14.09.2006

Damage: Medium

Brief Description:

Warezov is a mass-mailing worm that sends itself as e-mail attachments to addresses found on infected computers. It attempts to download updated variants from specified website(s) on the Internet.

After the worm's file is run, it shows a message box as a decoy. It installs itself so that it runs when Windows is started.

Visible Symptoms:

Once launched, the worm causes the following message to be displayed:

Update successfully installed


Technical description:
  • When installing, the worm copies itself to the Windows root directory as "serv.exe":

    %Windir%\serv.exe

  • It also creates the files listed below in the Windows root directory:
    • %System%\cssewmpd (16384 bytes)
    • %System%\e1.dll (8192 bytes)
    • %System%\regaufat.dll (24576 bytes)
    • %System%\wupstlnt.dll (28672 bytes)
    • %Windir%\serv.dll (7680 bytes)
    • %Windir%\serv.s
    • %Windir%\serv.wax
    Other variants of Warezov can create the following files:
    • %Windir%\tsrv.exe
    • %Windir%\tsrv.dll
    • %Windir%\tsrv.s
    • %Windir%\tsrv.wax
    • %System%\cmut449c14b7.dll
    • %System%\hpzl449c14b7.exe
    • %System%\msji449c14b7.dll
  • The worm also creates the following entries in the system registry to ensure that the worm file is run each time Windows is rebooted on the victim machine:

    [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "serv"="%Windir%\serv.exe s"

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="wupstlnt.dll e1.dll"

  • Opens notepad and displays random characters in a text file when it is first executed.
  • Gathers email addresses by scanning files with the following extensions: *.adb, *.asp, *.cfg, *.cgi, *.dbx, *.dhtm, *.eml, *.htm, *.html, *.jsp, *.mbx, *.mdx, *.mht, *.mmf, *.msg, *.nch, *.ods, *.oft, *.php, *.pl, *.sht, *.shtm, *.stm, *.tbb, *.txt, *.uin, *.wab, *.wsh, *.xls, * .xml.
  • Saves the emails it finds into the %Windir%\tsrv.wax file.
  • Uploads gathered email addresses to [http://]yuhadefunjinsa.com/cgi-bin/p[REMOVED]
  • Sends itself to the email addresses it gathers.
Propagation:

The worm sends itself to email addresses harvested from the MS Windows address books. It uses its own SMTP engine to send infected messages.

Message subject (chosen from the list below):
  • Error
  • Good Day
  • hello
  • Mail Delivery System
  • Mail server report
  • Mail Transaction Failed
  • picture
  • Server Report
  • Status
Message body (chosen from the list below):
  • Mail transaction failed. Partial message is available.
  • The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
  • The message contains Unicode characters and has been sent as a binary attachment.
  • Mail server report.

    Our firewall determined the e-mails containing worm copies are being sent from your computer.

    Nowadays it happens from many computers, because this is a new virus type (Network Worms).

    Using the new bug in the Windows, these viruses infect the computer unnoticeably.
    After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail addresses

    Please install updates for worm elimination and your computer restoring.

    Best regards,
    Customers support service
The worm will terminate a range of antivirus and firewall applications.

It also contains a list of URLs, which it will check for the presence of files. If a file is placed on one of these URLs, the worm will download it to the victim machine and launch it for execution.

Removal tool and instruction:
  1. Reboot the computer in Safe Mode (at the start of the boot sequence, press and hold F8, then choose 'Safe Mode' from the Windows boot menu.
  2. Use Task Manager to search for the following process:

    serv.ex

    If such a process is found, terminate it.
  3. Manually delete the following files from the Windows root and system directories:
    • %System%\e1.dll
    • %System%\regaufat.dll
    • %System%\wupstlnt.dll
    • %System%\cssewmpd
    • %Windir%\serv.dll
    • %Windir%\serv.s
    • %Windir%\serv.wax
    • %Windir%\serv.exe
    You may also have to delete the following files in the case of other Warezov version:
    • %Windir%\tsrv.exe
    • %Windir%\tsrv.dll
    • %Windir%\tsrv.s
    • %Windir%\tsrv.wax
    • %System%\cmut449c14b7.dll
    • %System%\hpzl449c14b7.exe
    • %System%\msji449c14b7.dll
  4. Delete the following registry values:

    [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "serv"="%Windir%\serv.exe s"

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="wupstlnt.dll e1.dll"

  5. Reboot the computer as normal, and check that you have deleted all infected emails from all mail folders.