Summary

This is a new email worm, email executable file size 56808 bytes long. Dropped executable files will be 46056 bytes lo

Spreading description

When the worm is executed, it will display a window with an error message. In the background it now creates a number of files in the Windows System directory; most notably two worm files - these two files can have various names, f.ex. expoler.exe or win32data.exe. Registry keys will be created to start these from bootup. Other files created are:

clonzips.ssc
clsobern.isc
cvqaikxt.apk
dgssxy.yoi
nonzipsr.noz
Odin-Anon.Ger
sb2run.dii
sysmms32.lla
winexerun.dal
winmprot.dal
winroot64.dal
winsend32.dal
zippedsr.piz

These are used for preliminary storage of harvested email addresses and MIME-encoded copies of the worm.

Registry keys created by the worm:

The worm uses several different key names and filenames, but an installation can look like this:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run service =\win32data.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run winrunexpolerx =\expoler.exe %run%
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run dirloghostx =\expoler.exe %run%
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run expoler32 =\win32data.exe

Removal

General information about removal of malicious software

Norman's antivirus products are in general able to remove all malicious software that is detected.
Some malware, however, uses techniques that the general product does not remove sufficiantly. We have therefore developed the free product Norman Malware Cleaner. Please use the latest version of this program from the link below - if your Norman antivirus is unable to clean-up the infection.