Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Email-Worm:W32/Zhelatin.CT


Discovered:
Aliases:


April 08, 2007
Email-Worm:W32/Zhelatin.CT

Malware
Rootkit, Email-Worm
W32

Summary

The Zhelatin.CT worm started to spread on April 13th, 2007. The worm spreads in e-mails with love-related subjects and with attachments named "Love Card.exe", "Greeting Card.exe" and so on. A bit later the same variant spread using security-related subjects.



Disinfection & Removal

Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details

The functionality of the Zhelatin.CT worm variant is similar to Zhelatin.CQ , however the subjects and attachment names it uses are different.

On April 13th several e-mails with love themed subjects were seen in the wild. While some of the subjects are a rehash of previously used subjects such as Sending You My Love, The Dance of Love, and When I'm With You, others are new:

  • A Dream is a Wish
  • A Is For Attitude
  • Eternal Love
  • Eternity of Your Love
  • Falling In Love with You
  • Hugging My Pillow
  • Inside My Heart
  • Kisses Through E-mail
  • Our Journey
  • Sent with Love
  • When Love Comes Knocking
  • You're In My Thoughts
  • You're the One

The e-mail messages themselves have no text, instead, they have attached executables with romantic sounding filenames. These include:

  • Love Card.exe
  • Love Postcard.exe
  • Greeting Card.exe
  • Postcard.exe

Here is an example of the worm's e-mail:

A second run occurred after a few hours. This time, the subjects were security related:

  • ATTN!
  • Spyware Alert!
  • Virus Alert!
  • Worm Alert!
  • Worm Detected!

Furthermore, the message body is an image file which advises the receiver to patch their systems. Also included within the image is a password in order to extract the attachment. Here is an example:

Something new to the Zhelatin family is the use of a password protected Zip archive as an attachment. The filenames vary but they have the following format:

  • patch-[4 to 5 random numerical characters].zip
  • hotfix-[4 to 5 random numerical characters].zip

The executable contained within the Zip archive has the same name as that of the archive but with an EXE extension.



Detection



Detection Type: PC
Database: 2007-04-12_07





Submit a sample




Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)

Give And Get Advice




Give advice. Get advice. Share the knowledge on our free discussion forum.