McAfee > Theat Center > Virus Detail Page

Overview

This detection covers the mass-mailing virus W32/Banwarum@MM, which has the following characteristics:

• Drops an encrypted .DLL component - %WINDIR%\System32\mszsrn32.dll - and injects it into the winlogon.exe process
• Modifies the system registry

Please see the VIL description W32/Banwarum.dll for information about the .DLL component.

Aliases:

• Email-Worm.Win32.Banwarum (Kaspersky)
• W32.Banwarum@MM (Symantec)
• W32/Zasran (Sophos)

Characteristics

This mass-mailing virus may appear as a .EXE file within a .ZIP archive via email.

Please note: McAfee has detected this .ZIP attachment as Generic Malware.a!zip since the 4507 DATs (June 2005).

The .ZIP requires a password to extract the .EXE. Said password will be present in the body of the email (wheter in plain text or in the form of a .GIF image). Please note that this .GIF may appear as the body of the email if you're viewing the email with HTML formatting, otherwise, it may appear as a second attachment.

The .EXE filename will contain a double extension with a number of spaces between them in an attempt to obscure the true extension when viewed in certain applications. For example:

bescheinigung.gif               .exe 

Once executed the virus will drop a .DLL file to disk as:

%WINDIR%\System32\mszsrn32.dll

And injects code into the running winlogon.exe process as a mechanism for hiding its activities and to ensure the virus is reloaded if the system is restarted.

The following registry modifications are made by the virus:

A new registry key with the name mszsrn32 is created in the following registry location:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

The key contains the following data:

"DllName"="C:\WINDOWS\System32\mszsrn32.dll"
"Startup"="Startup"

Please see the VIL description W32/Banwarum.dll for information about the .DLL component.

Symptoms

Registry:

Presence of the mszsrn32 key in the following registry location:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

File system:

Presence of the %WINDIR%\System32\mszsrn32.dll file.

Network:

• HTTP (TCP port 80) traffic to one or more of the aforementioned domain names.
• SMTP (TCP port 25) traffic containing any of the aforementioned attachment names or subject topics.

Method of Infection

Manually executing an infected email attachment infects the local system, which is then used to email the virus to others.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This detection covers the mass-mailing virus W32/Banwarum@MM, which has the following characteristics:

• Drops an encrypted .DLL component - %WINDIR%\System32\mszsrn32.dll - and injects it into the winlogon.exe process
• Modifies the system registry

Please see the VIL description W32/Banwarum.dll for information about the .DLL component.

Aliases:

• Email-Worm.Win32.Banwarum (Kaspersky)
• W32.Banwarum@MM (Symantec)
• W32/Zasran (Sophos)

Characteristics

Characteristics -

This mass-mailing virus may appear as a .EXE file within a .ZIP archive via email.

Please note: McAfee has detected this .ZIP attachment as Generic Malware.a!zip since the 4507 DATs (June 2005).

The .ZIP requires a password to extract the .EXE. Said password will be present in the body of the email (wheter in plain text or in the form of a .GIF image). Please note that this .GIF may appear as the body of the email if you're viewing the email with HTML formatting, otherwise, it may appear as a second attachment.

The .EXE filename will contain a double extension with a number of spaces between them in an attempt to obscure the true extension when viewed in certain applications. For example:

bescheinigung.gif               .exe 

Once executed the virus will drop a .DLL file to disk as:

%WINDIR%\System32\mszsrn32.dll

And injects code into the running winlogon.exe process as a mechanism for hiding its activities and to ensure the virus is reloaded if the system is restarted.

The following registry modifications are made by the virus:

A new registry key with the name mszsrn32 is created in the following registry location:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

The key contains the following data:

"DllName"="C:\WINDOWS\System32\mszsrn32.dll"
"Startup"="Startup"

Please see the VIL description W32/Banwarum.dll for information about the .DLL component.

Symptoms

Symptoms -

Registry:

Presence of the mszsrn32 key in the following registry location:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

File system:

Presence of the %WINDIR%\System32\mszsrn32.dll file.

Network:

• HTTP (TCP port 80) traffic to one or more of the aforementioned domain names.
• SMTP (TCP port 25) traffic containing any of the aforementioned attachment names or subject topics.

Method of Infection

Method of Infection -

Manually executing an infected email attachment infects the local system, which is then used to email the virus to others.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A