W32/Areses.Q Worm

 Information about the W32/Areses.Q Worm:

W32/Areses.Q is a mass mailing worm. The worm will infect Windows systems and spreads through email.

The infected email carries a spoofed 'From' address picked up randomly from the infected system.

The 'Subject' of the infected mail will be any one of the following;

Re: When you're gonna answer me?
He, where are you?
Re: Where have you been?
Hi! Please write to me urgently!
Hi! I'm waiting you online today!
Re: How's the mood?
Hi, what's up?
Re: write to me!
Hi, drop me a line!!!
Will you be online today?
Re: Call me!
When you're gonna answer me?
Re: Where are you?
Hi!!! How's the mood?

The body of the infected mail will be any one of the following;

Hi, give me a call just when you got the message! I'm tired of waiting. Btw, I'm
sending that program that you've been looking for. Check it out. Appears to be that one. Bye!

Hi, what's up? Will you show up online today?
Drop me a line in ICQ, ok? Btw, I'm sending you the docs you've been looking for, find
them attached. Check them out, ok?

Hi! I'm coming to you tomorrow, ok? When you are going to be home?
You remember, you've asked some docs. Please find them attached. Check and see what's
inside. That's it. Bye, till tomorrow...

Hi, what's up? If you have time tomorrow, please come over. After midday. By the way,
don't forget to check the enclosed documents. Bye. See you tomorrow.

Hi, how are you? What are your plans today? If you have time, please come over, and don't
forget to check the program attached. Bye!

Hi, what's you gonna do today? I'll come over tonight! By the way, don't give anyone this
funny program I'm sending. Check it out. Bye!

Hi, I saw you around today, but you didn't noticed me ( If you're gonna be at home, give a
call, ok? By the way, check this file I'm sending. A very interesting program...

What's up! You haven't been writing for a long time
I got news. I've finally that program you needed
I'm sending it out. Use it. Bye!

Hi, drop me a line today, ok? And see the program I'm sending. Bye!

Hi, drop me a line if you can. Btw, I have a new ICQ. Please don't forget to check
the attached documents. Bye.

Hi! How are you? Drop me a line if you can. I found your documents and I'm emailing
them to you. Bye.

Hi, I got a free day tomorrow, and I'm waiting for you. Please come after midday. By
the way, I'm sending you the documents that you've been asking for. Read them out... Bye!

The name of the infected attachment will be any one of the following;

Important.hta
Archive.hta
images.hta
backup.hta
confidential.hta
secret.hta
Document.hta
File.hta
Passwords.hta
Fotos.hta
your_documents.hta
Message.hta
New.hta
private.hta
README.hta

Upon execution of the infected attachment, the worm copies itself as csrss.exe in Windows folder.

The worm modifies registry at the following location to load itself during each startup.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Currentversion\Run

To propagate itself, the worm collects all the available email addresses from the files with following extensions and mails itself to these addresses using its own SMTP engine.

xml, wab, uin, xls, wsh, txt, shtm, sht, tbb, stm, php, nch, msg, oft, ods, mmf, mht, jsp, html, mdx, mbx, htm, dbx, cgi, cfg, eml, dhtm, asp and adb

It attempts to connect to the following website to download a file.

http://xeseretuo.com/m2/g[removed]

This worm first appeared on September 5, 2006.

 Other names of W32/Areses.Q Worm:

This Worm is also known as W32.Areses.Q@mm.