W32.Zezer.Worm

Aliases: I-Worm/Zezer.B, Win32.MSNDozzer.B, Worm.Zezer.B, W32/Dozer.B.worm, Win32/Zezer.B
Variants: Win32/HLLW.Zoder.B, WORM_ZEZER.B,  Worm/Dozer.B1,  W32/Zezer.B, Win32:Dozor-B

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 01 Oct 2003
Damage: Low

Characteristics: The W32/Zezer.Worm program is a worm that spreads itself through email sending to all the Hotmail addresses that it searches on your Messenger contact list. The worm can steal cached network passwords and could terminate processes of security programs. W32/Zezer.Worm is packed with UPX and is written in Microsoft Visual Basic 6. The Mswinsck.ocx file should be on the PC for the worm to run.

More details about W32.Zezer.Worm

When W32/Zezer.Worm is executed on your system, it copies itself as Mscsgs.exe in Windows folder and Msnexec.exe or Mscsgs32.exe in system folder. It sends the email to Hotmail addresses that the worm found from your MSN Messenger contact list. This e-mail comes with a subject: Windows Update, MSN Messenger vulnerability, or MSN Messenger Update and an attached file named Msn_inst.exe. The worm also adds values to the registry so that so that you can no longer open the registry editor.

Worm software is able to spread to other systems on its own. Once it enters the system, it creates multiple copies of itself. It may drop the infected files in network shares. Other computers connected via the Local Access Network (LAN) may be infected via shared folders or printers. Initialization (.ini) files may also be placed in system drives. Each time a removable memory device is connected to the drive, the .ini file is accessed. This leads to the worm program. The device is infected so that it can spread the worm application to other computers.