Another new email worm

Art · Sep 11, 2006

I received two different emails with different message bodies
and attachments. One attackment is named docs.elm.pif
The other, named Update-KB6269-x86.exe was attached
to a "social-engineered" message claiming to come from
my ISP. It claimed that worms were being detected emanating
from my computer and that the "urgent update" be installed
immediately.

Results at Virus Total were spotty, with just a small handful
of products producing a alert of any kind. The alerts all
appeared to be of a heuristic "guesswork" nature. So I
zipped both attackments and sent them to Kaspersky.

A Kaspersky analyst responded that detection for
Email-Worm.Win32.Warezov.u has now been added.

Art
http://home.epix.net/~artnpeg

Ian Kenefick · Sep 11, 2006

I received two different emails with different message bodies
and attachments. One attackment is named docs.elm.pif
The other, named Update-KB6269-x86.exe was attached
to a "social-engineered" message claiming to come from
my ISP. It claimed that worms were being detected emanating
from my computer and that the "urgent update" be installed
immediately.

Results at Virus Total were spotty, with just a small handful
of products producing a alert of any kind. The alerts all
appeared to be of a heuristic "guesswork" nature. So I
zipped both attackments and sent them to Kaspersky.

A Kaspersky analyst responded that detection for
Email-Worm.Win32.Warezov.u has now been added.

Yeah, F-Secure blogged about this earlier here
http://www.f-secure.com/weblog/archives/archive-092006.html#00000967

optikl · Sep 11, 2006

Art said:
The other, named Update-KB6269-x86.exe was attached
to a "social-engineered" message claiming to come from
my ISP. It claimed that worms were being detected emanating
from my computer and that the "urgent update" be installed
immediately.

It never ceases to amaze me how much effort the truly lame will invest
in trying to trap the truly unsuspecting.

David H. Lipman · Sep 11, 2006

From: "Art" <[email protected]>

| I received two different emails with different message bodies
| and attachments. One attackment is named docs.elm.pif
| The other, named Update-KB6269-x86.exe was attached
| to a "social-engineered" message claiming to come from
| my ISP. It claimed that worms were being detected emanating
| from my computer and that the "urgent update" be installed
| immediately.
|
| Results at Virus Total were spotty, with just a small handful
| of products producing a alert of any kind. The alerts all
| appeared to be of a heuristic "guesswork" nature. So I
| zipped both attackments and sent them to Kaspersky.
|
| A Kaspersky analyst responded that detection for
| Email-Worm.Win32.Warezov.u has now been added.
|
| Art
| http://home.epix.net/~artnpeg

This is a spambot. Once installed the Warezov will start generating and spewing spam from
the infected PC immediately.

Warezov.t and Warezov.u are in the wild and spreading !

Nicko · Sep 12, 2006

HASNT BITDEFENDER DETECTED THIS VIRUS WITHOUT SIGNATURE?
join and discuss on theif forum. Note: need to be registered to post
http://www.BitDforum.com

David H. Lipman · Sep 12, 2006

From: "Nicko" <[email protected]>

| HASNT BITDEFENDER DETECTED THIS VIRUS WITHOUT SIGNATURE?
| join and discuss on theif forum. Note: need to be registered to post
| http://www.BitDforum.com
|

I just tested a sample...
BitDefender 7.2 09.12.2006 Win32.Warezov.Q@mm

Another new email worm

Art

Ian Kenefick

optikl

David H. Lipman

Nicko

David H. Lipman