NEWS FROM THE LAB - Monday, September 11, 2006

Warezov Strikes Back Posted by Elda @ 08:14 GMT

Yesterday, we blogged about a new variant of Warezov being spammed around. Today, another variant has been seen spreading in the wild.

This new variant is now detected as Email-Worm.Win32.Warezov.u using database update version 2006-09-11_01.

It sends itself as e-mail attachments to addresses found on the infected computer.

Here's another email sample of this worm:

Warezov Example

Like yesterday's Warezov variant, it downloads another variant from yuhadefunjinsa.com/[removed]/lt.exe. This downloaded file is now detected as Email-Worm.Win32.Warezov.t.

Once Warezov.U has been executed, it displays a notepad window with random character strings. This is used as a decoy mechanism to fool the users into thinking that this was the file executed instead of the actual worm. Below is an example:

Warezov Notepad

Let's see if these patterned attacks will continue striking tomorrow.