WORM_AGENT.FZS

Malware type: Worm

Aliases: Trojan.Win32.Delf.cn (Kaspersky), Trojan Horse (Symantec), Dial/ExDial-C (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

High

Infection Channel 1 : Propagates via email


Description: 

To get a one-glance comprehensive view of the behavior of this worm, refer to the Behavior Diagram shown below.

WORM_AGENT.FZS Behavior Diagram

Malware Overview

This worm arrives on a system as a downloaded file from the Internet by unsuspecting users while visiting malicious Web sites, or as a dropped file of other malware.

It may also send copies of itself as an attachment to an email message using its own Simple Mail Transfer Protocol (SMTP) engine. It gathers target addresses from the Windows Address Book (WAB) in an attempt to trick users into thinking that the message comes from a familiar and reliable source. Using its own SMTP engine allows this worm to send out copies of itself without the use of mailing applications, such as Microsoft Outlook.

The email message it sends out has the following details:

Subject: In spiaggia

Message body:
Bacini! Ti mando le foto che mi hai fatto questa estate. Ce ne una che =E8 meglio che cancelli :)

Attachment: Spiaggiafoto.zip

Upon execution, it creates folders in the Windows and Windows system folders, then drops a copy of itself in the created folders. As a result, the system becomes launch pad of its routines.

It adds a certain registry entry to automatically execute at every system startup.

Furthermore, this worm may dial to premium numbers. Users may then be charged for calls made to long-distance numbers or pay-per-call sites.

It opens an instance of Internet Explorer pointing to a certain Web site. However, it does not perform any other actions aside from connecting to the said Web site.

For additional information about this threat, see:

Description created: Oct. 23, 2006 10:51:49 AM GMT -0800


TECHNICAL DETAILS


File type: PE

Memory resident:  Yes

Size of malware: 61,808 Bytes (compressed)

Initial samples received on: Oct 23, 2006

Payload 1: Dials premium numbers

Details:

Arrival and Installation

This worm arrives on a system as a downloaded file from the Internet by unsuspecting users while visiting malicious Web sites. It may also arrive as a dropped file of other malware or as an attachment to an email message.

Upon execution, it creates the following folders:

  • %Windows%\$hf_mig$\KB090545
  • %System%\Winsystema

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT. %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Then, it drops a copy of itself in the created Winsystema folder using the file name FREEVIDEO5.EXE.

It also drops the following files in the %Windows%\$hf_mig$ folder:

  • semail.exe - component of this worm
  • semail.tpl - another component of this worm
  • target.dat - copy of itself

To automatically execute at every system startup, it adds the following registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Winsystem = "%System%\Winsystema\Freevideo5.EXE -n"

It creates the following registry keys as part of its installation:

HKEY_CURRENT_USER\Software\Freeware

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
{54F57503-99C7-466D-883D-D41BAD9FB247}

Propagation Via Email

This worm propagates by sending copies of itself as an attachment to an email message using its own Simple Mail Transfer Protocol (SMTP) engine. It gathers target addresses from the Windows Address Book (WAB) in an attempt to trick users into thinking that the message comes from a familiar and reliable source. Using its own SMTP engine allows this worm to send out copies of itself without the use of mailing applications, such as Microsoft Outlook.

The email message it sends out has the following details:

Subject: In spiaggia

Message body:
Bacini! Ti mando le foto che mi hai fatto questa estate. Ce ne una che =E8 meglio che cancelli :)

Attachment: Spiaggiafoto.zip

Payload

This worm may dial to premium numbers. The user may be charged for calls made to long-distance numbers or pay-per-call sites.

Furthermore, it opens an instance of Internet Explorer with the URL pointing to http://www.{BLOCKED}ultfriendfinder.com. However, it does not perform any other actions aside from opening the said Web site.

Affected Platforms

This worm comes with its own compression. It runs on Windows 98, ME, NT, 2000, XP, and Server 2003.

Analysis By: Aleandro Sy

Revision History:

First pattern file version: 3.872.03
First pattern file release date: Oct 23, 2006

SOLUTION


Minimum scan engine version needed: 8.000

Pattern file needed: 3.883.00

Pattern release date: Oct 26, 2006


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

NOTE: Close all instances of Internet Explorer before performing the succeeding clean instructions.

Terminating the Malware Program

This procedure terminates the running malware process.

  1. Open Windows Task Manager.
    • On Windows 98 and ME, press
    CTRL%20ALT%20DELETE
    • On Windows NT, 2000, XP, and Server 2003, press
    CTRL%20SHIFT%20ESC, then click the Processes tab.
  2. In the list of running programs*, locate the process:
    Freevideo5.EXE
  3. Select the malware process, then press either the End Task or the End Process button, depending on the version of Windows on your computer.
  4. To check if the malware process has been terminated, close Task Manager, and then open it again.
  5. Close Task Manager.

*NOTE: On computers running Windows 98 and ME, Windows Task Manager may not show certain processes. You can use a third party process viewer such as Process Explorer to terminate the malware process.

On computers running all Windows platforms, if the process you are looking for is not in the list displayed by Task Manager or Process Explorer, continue with the next solution procedure, noting additional instructions. If the malware process is in the list displayed by either Task Manager or Process Explorer, but you are unable to terminate it, restart your computer in safe mode.

Editing the Registry

This malware modifies the computer's registry. Users affected by this malware may need to modify or delete specific registry keys or entries. For detailed information regarding registry editing, please refer to the following articles from Microsoft:

  1. HOW TO: Backup, Edit, and Restore the Registry in Windows 95, Windows 98, and Windows ME
  2. HOW TO: Backup, Edit, and Restore the Registry in Windows NT 4.0
  3. HOW TO: Backup, Edit, and Restore the Registry in Windows 2000
  4. HOW TO: Back Up, Edit, and Restore the Registry in Windows XP and Server 2003

Removing Autostart Entry from the Registry

Removing autostart entry from the registry prevents the malware from executing at startup.

If the registry entry below is not found, the malware may not have executed as of detection. If so, proceed to the succeeding solution set.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry:
    Winsystem = "%System%\Winsystema\Freevideo5.EXE -n"
    (Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP and Server 2003.)

Removing Other Added Key from the Registry

  1. Still in the Registry Editor, in the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
    Windows>CurrentVersion>Uninstall
  2. In the same panel, locate and delete the key:
    {54F57503-99C7-466D-883D-D41BAD9FB247}
  3. This malware also creates the following registry key:
    HKEY_CURRENT_USER>Software>Freeware
    However, this key may be used by other legitimate applications. If you are certain that there no other applications in your computer that use this key, you may delete this key. Otherwise, you may leave this key, as it can no longer serve malicious purposes once this malware is removed from your system.
  4. Close Registry Editor.

Deleting the Malware Folders

  1. Right-click Start then click Search... or Find..., depending on the version of Windows you are running.
  2. In the Named input box, type:
    $hf_mig$
  3. In the Look In drop-down list, select the drive that contains Windows, then press Enter.
  4. Once located, select the folder then press SHIFT%20DELETE.
  5. Repeat steps 2 to 4 to delete the folder Winsystema.

Important Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected computers.

Users running other Windows versions can proceed with the succeeding solution set(s).

Running Trend Micro Antivirus

If you are currently running in safe mode, please restart your computer normally before performing the following solution.

Scan your computer with Trend Micro antivirus and delete files detected as WORM_AGENT.FZS. To do this, Trend Micro customers must download the latest virus pattern file and scan their computer. Other Internet users can use HouseCall, the Trend Micro online virus scanner.




Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.