Content

W32/Areses.a@MM

Type
Internet Worm
SubType
E-mail
Discovery Date
04/12/2006
Length
Minimum DAT
4740 (04/13/2006)
Updated DAT
5325 (06/25/2008)
Minimum Engine
5.1.00
Description Added
04/12/2006
Description Modified
04/12/2006 4:06 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

W32/Areses.a@MM is a mass mailer that spreads via e-mail by harvesting e-mail addresses from the infected machine.

Upon execution, the worm copies itself by name "csrss.exe" in %WINDIR% folder. If executed within virtual machine it will not replicate and just open the browser to http://www.nahuy.com. If an instance of virus is already installed it will open up an instance of notepad. .

Registry Changes

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger: "C:\WINDOWS\csrss.exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Devices\Application: [DATA]

Sends out mails using its own SMTP engine. The attachments are generally in .cab format.

Looks for following files-types for harvesting e-mail addresses.

  • .dhtm
  • .html
  • .shtm
  • .dhtml

Avoids sending itself to email addresses having following strings

  • @example.
  • @hotmail
  • @microsoft
  • rating@
  • f-secur
  • update
  • .qmail
  • anyone@
  • bugs@
  • contract@
  • feste
  • gold-certs@
  • help@
  • info@
  • nobody@
  • noone@
  • Mailer-Daemon@
  • @subscribe
  • admin
  • icrosoft
  • support
  • ntivi
  • linux
  • listserv
  • certific
  • torvalds@
  • sopho
  • @iana
  • free-av
  • @messagelab
  • winzip
  • google
  • winrar
  • samples
  • spm111@
  • abuse
  • panda
  • cafee
  • @avp.
  • noreply
  • local
  • root@
  • postmaster@

 

Symptoms

Attempts to connect to

  • [http://]85.249.23.35/m/[Blocked]
  • [http://]207.46.250.119/g/[Blocked]
  • [http://]84.22.161.192/s/[Blocked]

    May open IE browser to point to http://www.nahuy.com,

    Presence of aformentioned registry value and random opening of TCP ports.

    • Method of Infection

    W32/Areses.a@MM spreads through harversted e-mails.

    Removal

    AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

    Additional Windows ME/XP removal considerations

    Variants

    Variants

      N/A

    All Information

    Overview -

    This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

    Aliases:

    • Backdoor.Win32.Rbot.AEU (Ikarus)
    • W32.Areses.A@mm (Symantec)
    • WORM_ARESES.B (Trend)

     

    Characteristics

    Characteristics -

    W32/Areses.a@MM is a mass mailer that spreads via e-mail by harvesting e-mail addresses from the infected machine.

    Upon execution, the worm copies itself by name "csrss.exe" in %WINDIR% folder. If executed within virtual machine it will not replicate and just open the browser to http://www.nahuy.com. If an instance of virus is already installed it will open up an instance of notepad. .

    Registry Changes

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger: "C:\WINDOWS\csrss.exe"
    • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Devices\Application: [DATA]

    Sends out mails using its own SMTP engine. The attachments are generally in .cab format.

    Looks for following files-types for harvesting e-mail addresses.

    • .dhtm
    • .html
    • .shtm
    • .dhtml

    Avoids sending itself to email addresses having following strings

    • @example.
    • @hotmail
    • @microsoft
    • rating@
    • f-secur
    • update
    • .qmail
    • anyone@
    • bugs@
    • contract@
    • feste
    • gold-certs@
    • help@
    • info@
    • nobody@
    • noone@
    • Mailer-Daemon@
    • @subscribe
    • admin
    • icrosoft
    • support
    • ntivi
    • linux
    • listserv
    • certific
    • torvalds@
    • sopho
    • @iana
    • free-av
    • @messagelab
    • winzip
    • google
    • winrar
    • samples
    • spm111@
    • abuse
    • panda
    • cafee
    • @avp.
    • noreply
    • local
    • root@
    • postmaster@

     

    Symptoms

    Symptoms -

    Attempts to connect to

  • [http://]85.249.23.35/m/[Blocked]
  • [http://]207.46.250.119/g/[Blocked]
  • [http://]84.22.161.192/s/[Blocked]

    May open IE browser to point to http://www.nahuy.com,

    Presence of aformentioned registry value and random opening of TCP ports.

    • Method of Infection

    Method of Infection -

    W32/Areses.a@MM spreads through harversted e-mails.

    Removal -

    Removal -

    AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

    Additional Windows ME/XP removal considerations

    Variants

    Variants -

      N/A