We’ve received some reports that Warezov.mp(aka Stration) is now spreading via ICQ. We’ve got two domains about this variant, they are “auterfunmdasetion.com” and “buheradesunme.com”. We hope ICQ users can block these domains.

The variant sends out as the following link via ICQ:

http://133.buheradesunme.com//166/
http://2849.buheradesunme.com//166/
http://4047.auterfunmdasetion.com//3660/

When clicks these links, the file “flash.exe” or “pic.pif” will be downloaded.

The size of this variant is 88,919 bytes, packed with PE_Patch and UPack, MD5 hash is ae8256ab7f4ef8c70889bf4be86dd969, Kaspersky detects it as Email-Worm.Win32.Warezov.mp.

Sandbox result:

[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM32\crypmapi.dll.
* Creates file C:\WINDOWS\System32\crypmapi.exe.
* Deletes file C:\WINDOWS\System32\crypmapi.exe.

[ Changes to registry ]
* Creates key “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypmapi”.
* Sets value “DllName”=”C:\WINDOWS\SYSTEM32\crypmapi.dll” in key “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypmapi”.
* Sets value “Startup”=”WlxStartupEvent” in key “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypmapi”.
* Sets value “Shutdown”=”WlxShutdownEvent” in key “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypmapi”.
* Sets value “Impersonate”=”" in key “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypmapi”.
* Sets value “Asynchronous”=”" in key “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypmapi”.

[ Signature Scanning ]
* C:\WINDOWS\SYSTEM32\crypmapi.dll (98,304 bytes) : no signature detection.