This type of worm is embedded in an e-mail attachment, and spreads using the infected computer's e-mailing networks.
Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.
More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.
You may also refer to the Knowledge Base on the F-Secure Community site for more information.
The Zhelatin.CQ worm started to spread very late on April 8th, 2007. The worm spreads in e-mails with war-related subjects as an attachment named "video.exe", "movie.exe", "click me.exe" and so on. The worm creates its own peer-to-peer network.
After the worm's file is started by a user, it drops a randomly named file into the same folder where it was started from and runs it. This file installs a rootkit and p2p (peer-to-peer) component into the Windows System folder. The file name is wincom32.sys.
The installed component has rootkit features: it hides its Registry keys and active process so that an anti-rootkit engine is needed to reveal them.
In addition, this component drops a text file named wincom32.ini into the Windows System folder. This file contains a list of clients for the worm's peer-to-peer network. The peer names and access ports are encoded. Here's an example of the file's contents:
The dropped file also has a blacklist area, but it's empty at the moment.
The worm decodes the clients' addresses and access ports and connects itself to the peer-to-peer network. A significant number of UDP connections can be observed when the worm is trying to connect to its p2p network.
While taking the above actions, the copy of the worm that remains in memory starts its spreading cycle. It creates a mutex named klllekkdkkd and scans files on local hard disk drives for victims' e-mail addresses.
The worm ignores e-mail addresses if they contain any of the following substrings:
Then the worm starts to spread in e-mails. It sends messages with the following subjects to all harvested e-mail addresses:
The subjects are war-related and alarming, a common social-engineering trick to draw recipients into executing the attachment. The worm always attaches itself to the e-mails that it sends out. The attachment names can be any of the following:
When a recipient of such e-mail opens the attachment, his/her computer becomes infected and the worm continues its spreading cycle.
The worm kills processes if they have the following substrings in their names:
Creates these keys:
F-Secure Anti-Virus detects this malware with the following updates: