New mass-mailing worm seen in the wild (Sep 10, 2010)
SonicWALL UTM Research team observed a new variant of Autorun worm spreading in the wild. The worm spreads through e-mails, removable storage and network shares. The e-mail campaigns contains a link which points to the Autorun worm. The email looks like below:
Link to PDF file [Mass-mailing worm]
Subject: Here you have
Email Body:
————————
Hello:
This is The Document I told you about,you can find it Here.http://www.{removed}/library/PDF_Document21.025542010.pdf
Please check it and reply as soon as possible.
Cheers,
————————
Link to WMV file [Adult Spam]
Subject: Just for you
Email Body:
————————
Hello:
This is The Free Dowload Sex Movies,you can find it Here.
http://www.{removed}/library/SEX21.025542010.wmv
Enjoy Your Time.
Cheers,
————————
Sample e-mails message looks like this:
If the user download and opens the file then it performs following activities on the victim’s machine:
- Network Activity:
- It connects to members.multimania.co.uk and downloads multiple files. The malicious account hosting these files was disabled by Lycos UK.
- File Activity:
It creates the following files
- C:autorun.inf
- C:open.exe (copy of itself) – Detected as GAV: AutoRun.ICO (Worm)
- C:{Logged on User} CV 2010.exe (copy of itself) – Detected as GAV: AutoRun.ICO (Worm)
- %windir%autorun.inf
- %windir%autorun2.inf
- %windir%csrss.exe (copy of itself) – Detected as GAV: AutoRun.ICO (Worm)
- %windir%ff.exe – Detected as GAV: Pass.A_2 (Hacktool)
- %windir%gc.exe – Detected as GAV: NetPass.FX (Hacktool)
- %windir%ie.exe – Detected as GAV: IEPassView.G (Hacktool)
- %windir%im.exe – Detected as GAV: Messen.HX (Hacktool)
- %windir%op.exe – Detected as GAV: PassView.A (Hacktool)
- %windir%pspv.exe – Detected as GAV: PSPassView.A (Hacktool)
- %windir%rd.exe – Detected as GAV: IEPassView.G (Hacktool)
- %windir%re.exe – Detected as GAV: PSExec.D (Hacktool)
- %windir%re.iq
- %windir%{Logged on User} CV 2010.exe (copy of itself) – Detected as GAV: AutoRun.ICO (Worm)
- %windir%tryme1.exe
- %windir%vb.vbs – Detected as GAV: VBS.TRZ (Trojan)
- %windir%system{Logged on User} CV 2010.exe (copy of itself) – Detected as GAV: AutoRun.ICO (Worm)
- %windir%systemupdate.exe (copy of itself) – Detected as GAV: AutoRun.ICO (Worm)
- %windir%system32SendEmail.dll – Detected as GAV: Sendmail.MOK (Hacktool)
It replaces the following files
- %windir%system32driversetchosts
It deletes the following files
- All .exe files on the desktop
- Process Acitivty:
It creates the following process in memory
- %windir%csrss.exe
- Registry Activity:
- It adds HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell:”Explorer.exe C:WINDOWScsrss.exe” to ensure infection on reboot
- It disables Windows Security Center Service by deleteing HKLMSYSTEMCurrentControlSetServiceswscsvc:Start
- It disables Windows AutoUpdate Service by deleteing HKLMSYSTEMCurrentControlSetServiceswuauserv:Start
- It creates multiple registry entries that intercept execution calls to processes.
It adds the value “C:WINDOWScsrss.exe” to HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options{process}Debugger
- Propagation:
- It mass emails itself using the email campaigns seen above
- It copied itself on to removable storage media as open.exe and replaces autorun.inf to launch itself
- It copies itself on to the following locations using the vb.vbs script created
- Harvesting Credentials:
- It download multiple password harvesting tools and harvests user credentials
SonicWALL Gateway AntiVirus provides protection against this Autorun worm variant with the following signatures
GAV: AutoRun.ICO (Worm)
GAV: IEPassView.G (Hacktool)
GAV: NetPass.FX (Hacktool)
GAV: PassView.A (Hacktool)
GAV: Pass.A_2 (Hacktool)
GAV: Messen.HX (Hacktool)
GAV: PSPassView.A (Hacktool)
GAV: PsExec.D (Hacktool)
GAV: Sendmail.MOK (Hacktool)
GAV: VBS.TRZ (Trojan)
