TrendLabs Malware Blog
Glossary
TrendWatch
TrendLabs Twitter
WORM_ZHELATI.MAB
Overview
Solution

Malware type: Worm

Aliases: Email-Worm.Win32.Zhelatin.hs (Kaspersky), Tibs-Packed (McAfee), Trojan.Packed.13 (Symantec), WORM/Zhelatin.Gen (Avira), Mal/Dorf-E (Sophos), Trojan:Win32/Tibs.DV (Microsoft)

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

 High

Distribution potential:

 High

Infection Channel 1 : Propagates via email

Description: 

To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.

WORM_ZHELATI.MAB Behavior Diagram

Malware Overview

This worm propagates via email. It arrives on inboxes as spammed email messages containing a link. Below is a sample of the spammed email message:

Subject: are you kidding me? lol

Message body:
Dude I know thats you, someone emailed me has link to the video. see for yourself… http://www.youtube.com/watch?v={random 11 characters}

Once the hyperlink is clicked, it redirects to certain IP addresses, which open the following Web page disguised as a YouTube page:

WORM_ZHELATI[1].MAB Behavior Diagram

Clicking click here downloads a copy of this worm into the target system. The fake YouTube page is detected by Trend Micro as JS_DLOADER.PCT. This worm also drops a file detected by Trend Micro as TROJ_PEACOMM.GR. As a result, routines of the dropped Trojan may be exhibited on the affected system.

This worm gathers target email addresses from files with the certain extensions. It avoids sending email messages to addresses containing certain strings. It then uses its own Simple Mail Transfer Protocol (SMTP) engine to send the email. Having its own SMTP engine allows it to send messages without using any mailing application, such as Microsoft Outlook.

Moreover, it terminates processes related to antivirus and security applications if it finds them running in memory. It also modifies a certain file found in the Windows system folder. These routines enable it to avoid immediate detection and consequent removal.

For additional information about this threat, see:
Solution
Technical Details

Description created: Aug. 28, 2007 5:12:48 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.