Threat Description

Email-Worm:​W32/Zhelatin.CT

Details

Aliases: Email-Worm:​W32/Zhelatin.CT
Category: Malware
Type: Rootkit, Email-Worm
Platform: W32

Summary



The Zhelatin.CT worm started to spread on April 13th, 2007. The worm spreads in e-mails with love-related subjects and with attachments named "Love Card.exe", "Greeting Card.exe" and so on. A bit later the same variant spread using security-related subjects.



Removal



Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details



The functionality of the Zhelatin.CT worm variant is similar to Zhelatin.CQ , however the subjects and attachment names it uses are different.

On April 13th several e-mails with love themed subjects were seen in the wild. While some of the subjects are a rehash of previously used subjects such as Sending You My Love, The Dance of Love, and When I'm With You, others are new:

  • A Dream is a Wish
  • A Is For Attitude
  • Eternal Love
  • Eternity of Your Love
  • Falling In Love with You
  • Hugging My Pillow
  • Inside My Heart
  • Kisses Through E-mail
  • Our Journey
  • Sent with Love
  • When Love Comes Knocking
  • You're In My Thoughts
  • You're the One

The e-mail messages themselves have no text, instead, they have attached executables with romantic sounding filenames. These include:

  • Love Card.exe
  • Love Postcard.exe
  • Greeting Card.exe
  • Postcard.exe

Here is an example of the worm's e-mail:

A second run occurred after a few hours. This time, the subjects were security related:

  • ATTN!
  • Spyware Alert!
  • Virus Alert!
  • Worm Alert!
  • Worm Detected!

Furthermore, the message body is an image file which advises the receiver to patch their systems. Also included within the image is a password in order to extract the attachment. Here is an example:

Something new to the Zhelatin family is the use of a password protected Zip archive as an attachment. The filenames vary but they have the following format:

  • patch-[4 to 5 random numerical characters].zip
  • hotfix-[4 to 5 random numerical characters].zip

The executable contained within the Zip archive has the same name as that of the archive but with an EXE extension.



Detection



Detection Type: PC
Database: 2007-04-12_07




SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More