WORM_ISRAZ.A - Description and solution

TrendLabs Malware Blog

Glossary

TrendWatch

TrendLabs Twitter

WORM_ISRAZ.A

Overview

Solution

Technical Details

Malware type: Worm

Aliases: Email-Worm.Win32.Israz.a (Kaspersky), W32.Israz@mm (Symantec), Worm/Isratz.1 (Avira), W32/Israz-A (Sophos),

In the wild: No

Destructive: No

Language: English

Platform: Windows 95, 98, ME, NT, 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:
Damage potential:		High
Distribution potential:		High

Description:

This worm propagates via email using its own SMTP (Simple Mail Transfer Protocol) engine and through Kazaa, a file sharing peer-to-peer network application. It sends out an email message with itself as attachment to all recipients in the Microsoft Outlook Address Book. The email message has the following characteristics:

From: update@microsoft.com
Subject: Windows Update
Message Body:
Your file is attached to message.
For more information go to Windows Update
http://windowsupdate.microsoft.com
Attachment: Update.exe

From: update@microsoft.com
Subject: PS1
Message Body:
Your file is attached to message.
For more information go to Windows Update
http:/ /windowsupdate.microsoft.com
Attachment: Q322593.exe

From: help@google.com
Subject: Update Your ToolBar
Message Body:
Your file is attached to message.
For more information go to Google home page
http:/ /www.google.com
Attachment: ToolBar.exe

From: help@google.com
Subject: Auto Search Wizard
Message Body:
Your file is attached to message.
For more information go to Google home page
http:/ /www.google.com
Attachment: Wizard.exe

From: copyright@yahoo-inc.com
Subject: Yahoo FAQ
Message Body:
Your file is attached to message.
For more information go to Yahoo home page
http:/ /www.yahoo.com
Attachment: FAQ.exe

From: copyright@yahoo-inc.com
Subject: Support For Search
Message Body:
Your file is attached to message.
For more information go to Yahoo home page http:/ /www.yahoo.com
Attachment: Support.exe

From: <Infected user's SMTP email address>
Subject: You must to see that
Message Body:
Your file is attached to message.
Attachment: Fun.exe

This worm modifies all .URL files in local drives into links to any of the following sites:

http://www.yn<blocked>t.co.il/
http://www.ta<blocked>uz.co.il/
http://www.n<blocked>na.co.il/
http://www.m<blocked>n.co.il/
http://www.wa<blocked>la.co.il/

This memory-resident worm is written and compiled in Visual Basic 6 and runs on Windows 95, 98, ME, NT, 2000, and XP.

TrendLabs is currently working to provide a more in-depth analysis of this malware.

For additional information about this threat, see:
Solution
Technical Details

Description created: Jul. 9, 2003 9:46:17 PM GMT -0800
Description updated: Jul. 9, 2003 10:06:17 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.