SecurityHome.eu Win32.Tzar.A@mm

Home / malware PDF

Win32.Tzar.A@mm

First posted on 21 November 2011.
Source: BitDefender
Aliases :
Win32.Tzar.A@mm is also known as W32/VBSun-A, Worm.Zar.A.
Explanation :
The virus is a mass-mailer written in Visual Basic, 20K in size.

At runtime, it drops three files in the Windows directory (usually c:\windows or c:\winnt), named "tsunami.exe", "raz32.exe" and "crssr.exe". It adds the following registry key:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\CaptionMgr32 = "%systemroot%\crssr.exe".

It then searches for e-mail addresses in the victim's Outlook address book and sends itself to those addresses in an e-mail with the following format:

Subject: Tsunami Donation! Please help!
Body: Please help us with your donation and view the attachement below! We need you!
Attachement: tsunami.exe

The virus will then attempt to perform a denial of service to the following website:
www.hacksector.de
Last update 21 November 2011

TOP

Malware :

RATDispenser
whispergate
Borat RAT
Trojanized X_Trader
BlackLotus

Last 20