P2P Worm Spreading in the Wild (Nov 24, 2010)

SonicWALL UTM Research team received reports of a new variant of a Peer-to-Peer (P2P) Worm spreading in the wild. It propagates through P2P channels as well as spammed e-mail. The e-mail contains the malicious file inside the zip attachment.

Below are sample e-mails:

Subject:

• You have got a new message on Facebook!
• You have received A Hallmark E-Card!

Attachment:

• Facebook message.zip (contains document.htm .exe )
• Postcard.zip (contains document.htm .exe )

Email Body:

Hi,

You have got a personal message on Facebook from your friend.
To read it please check the attachment.
Thanks,

The Facebook Team
===================================================
Hello!

You have received a Hallmark E-Card from your friend.

To see it, check the attachment.

There’s something special about that E-Card feeling. We invite you to make a friend’s day and send one.

Hope to see you soon,
Your friends at Hallmark

===================================================

The e-mail message looks like below:

===================================================

Once the user runs the executable file, it will do the following activities:

File Operation:

Added Files

• Documents and Settings{user}Application DataSystemProclsass.exe – (172KB) [ Detected as GAV: Injector.CQX (Worm) ]
• WINDOWSsystem32HPWuSchdi.exe – (320KB) [ Detected as GAV: Injector.CQX (Worm) ]
• Program FilesMozilla Firefoxextensions{9CE11043-9A15-4207-A565-0C94C42D590D}
• Program FilesMozilla Firefoxextensions{9CE11043-9A15-4207-A565-0C94C42D590D}chrome
• Program FilesMozilla Firefoxextensions{9CE11043-9A15-4207-A565-0C94C42D590D}chromecontent
• Program FilesMozilla Firefoxextensions{9CE11043-9A15-4207-A565-0C94C42D590D}chromecontenttimer.xul [ Detected as GAV: Dursg.G (Trojan) ]
• Program FilesMozilla Firefoxextensions{9CE11043-9A15-4207-A565-0C94C42D590D}chrome.manifest
• Program FilesMozilla Firefoxextensions{9CE11043-9A15-4207-A565-0C94C42D590D}install.rdf

Registry Operation:

Added Entries

• HKEY_CURRENT_USERIdentities Curr version “25”
• HKEY_CURRENT_USERIdentities Last Date “24-11-2010”
• HKEY_CURRENT_USERIdentities Inst Date “24-11-2010”
• HKEY_CURRENT_USERIdentities Popup count “0”
• HKEY_CURRENT_USERIdentities Popup time “0”
• HKEY_CURRENT_USERIdentities Popup date “0”

Allows program to run without user notification:

• HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciessystem EnableLUA dword:00000000

Ensures this Worm runs on every Windows startup.

• KEY: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
  Value: HP Software Updater v1.3
  Data:“WINDOWSSystem32HPWuSchdi.exe”
• KEY: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun
  Value: RTHDBPL
  Data:“Documents and Settings{user}Application DataSystemProclsass.exe”

Ensures this Worm bypass the Firewall.

• KEY: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList
  Value: C:WINDOWSSystem32HPWuSchdi.exe
  Data:“C:WINDOWSSystem32HPWuSchdi.exe:*:Enabled:Explorer”

Malware Propagation:

Peer-to-Peer Applications

This Worm drops copies on P2P shared folders using filenames taken from its list:

List of the P2P apps:

• program fileswinmxshared
• program filesteslafiles
• program fileslimewireshared
• program filesmorpheusmy shared folder
• program filesemuleincoming
• program filesedonkey2000incoming
• program filesbearshareshared
• program filesgrokstermy grokster
• program filesicqshared folder
• program fileskazaa lite k++my shared folder
• program fileskazaa litemy shared folder
• program fileskazaamy shared folder

Filenames it uses when copying itself to P2P folders which are key generator and cracking tools of popular commercial applications:

• AOL Instant Messenger (AIM) Hacker.exe
• AOL Password Cracker.exe
• Ad-aware 2010.exe
• Adobe Acrobat Reader keygen.exe
• Adobe Illustrator CS4 crack.exe
• Adobe Photoshop CS4 crack by M0N5KI Hack Group.exe
• Alcohol 120 v1.9.x.exe
• Anti-Porn v13.x.x.x.exe
• AnyDVD HD v.6.3.1.8 Beta incl crack.exe
• Ashampoo Snap 3.xx [Skarleot Group].exe
• Avast 4.x Professional.exe
• Avast 5.x Professional.exe
• BitDefender AntiVirus 2010 Keygen.exe
• Blaze DVD Player Pro v6.52.exe
• Brutus FTP Cracker.exe
• CleanMyPC Registry Cleaner v6.02.exe
• Counter-Strike Serial key generator [Miona patch].exe
• DCOM Exploit archive.exe
• DVD Tools Nero 10.x.x.x.exe
• Daemon Tools Pro 4.8.exe
• DivX 5.x Pro KeyGen generator.exe
• Divx Pro 7.x version Keymaker.exe
• Download Accelerator Plus v9.2.exe
• Download Boost 2.0.exe
• FTP Cracker.exe
• G-Force Platinum v3.7.6.exe
• Google SketchUp 7.1 Pro.exe
• Grand Theft Auto IV [Offline Activation + mouse patch].exe
• Half-Life 2 Downloader.exe
• Hotmail Cracker [Brute method].exe
• Hotmail Hacker [Brute method].exe
• ICQ Hacker Trial version [brute].exe
• IP Nuker.exe
• Image Size Reducer Pro v1.0.1.exe
• Internet Download Manager V5.exe
• K-Lite Mega Codec v5.2 Portable.exe
• K-Lite Mega Codec v5.2.exe
• Kaspersky AntiVirus 2010 crack.exe
• Kaspersky Internet Security 2010 keygen.exe
• Keylogger unique builder.exe
• L0pht 4.0 Windows Password Cracker.exe
• LimeWire Pro v4.18.3 [Cracked by AnalGin].exe
• MSN Password Cracker.exe
• Magic Video Converter 8.exe
• McAfee Total Protection 2010 [serial patch by AnalGin].exe
• Microsoft Visual Basic KeyGen.exe
• Microsoft Visual C++ KeyGen.exe
• Microsoft Visual Studio KeyGen.exe
• Microsoft.Windows 7 ULTIMATE FINAL activator+keygen x86.exe
• Motorola, nokia, ericsson mobil phone tools.exe
• Mp3 Splitter and Joiner Pro v3.48.exe
• Myspace theme collection.exe
• NetBIOS Cracker.exe
• NetBIOS Hacker.exe
• Norton Anti-Virus 2005 Enterprise Crack.exe
• Norton Anti-Virus 2010 Enterprise Crack.exe
• Norton Internet Security 2010 crack.exe
• PDF password remover (works with all acrobat reader).exe
• Password Cracker.exe
• Power ISO v4.4 + keygen milon.exe
• Rapidshare Auto Downloader 3.8.6.exe
• Sophos antivirus updater bypass.exe
• Sub7 2.5.1 Private.exe
• Super Utilities Pro 2009 11.0.exe
• Total Commander7 license+keygen.exe
• Tuneup Ultilities 2010.exe
• Twitter FriendAdder 2.3.9.exe
• UT 2003 KeyGen.exe
• VmWare 7.x keygen.exe
• Website Hacker.exe
• WinRAR v3.x keygen [by HiXem].exe
• Winamp.Pro.v7.xx.PowerPack.Portable+installer.exe
• Windows 2008 Enterprise Server VMWare Virtual Machine.exe
• Windows Password Cracker + Elar3 key.exe
• Windows2008 keygen and activator.exe
• YouTubeGet 5.6.exe
• Youtube Music Downloader 1.3.exe
• [+ MrKey +] Windows XP PRO Corp SP3 valid-key generator.exe
• [Eni0j0 team] Vmvare keygen.exe
• [Eni0j0 team] Windows 7 Ultimate keygen.exe
• [antihack tool] Troj
  an Killer v2.9.4173.exe
• [fixed]RapidShare Killer AIO 2010.exe
• [patched, serial not need] Nero 9.x keygen.exe
• [patched, serial not needed] Absolute Video Converter 6.2-7.exe
• [patched, serial not needed] PDF Unlocker v2.0.5.exe
• [patched, serial not needed] PDF to Word Converter 3.4.exe
• sdbot with NetBIOS Spread.exe

Mass-Mailing

This Worm harvests email addresses from the system and send spam emails with an attachment of itself.

Network Activity:

The following HTTP request were observed from this Worm:

• http://controll{REMOVED}ckout

Pop-up Advertisements

This Worm injects code to the following browser to monitor keyword searches:
• Internet Explorer
• Opera
• Chrome
• Firefox

The following are the search domains this worm monitors for keyword terms:

• google
• search
• yahoo
• live
• msn
• bing
• youtube

The following are the keyword terms it monitors and once found displays pop-up advertisements from the domain “tetrosearch.com” or “oxoblaster.com”:

• airlines
• amazon
• antivir
• antivirus
• baby
• bank
• bany
• baseball
• books
• cars
• casino
• cialis
• cigarettes
• comcast
• craigslist
• credit
• dating
• design
• diet
• doctor
• dvd
• ebay
• estate
• fashion
• film
• finance
• flights
• flower
• footbal
• football
• gambling
• game
• gifts
• golf
• graphic
• health
• hotel
• insurance
• iphone
• ipod
• job
• loan
• loans
• medical
• military
• mobile
• money
• mortgage
• movie
• music
• myspace
• pharma
• pocker
• poker
• porn
• school
• sex
• shop
• software
• sport
• spybot
• spyware
• trading
• tramadol
• travel
• twitter
• verizon
• video
• virus
• vocations
• wallpaper
• weather
• yobt

The Worm is also known as Worm/BlackControl.H [Antivir], Inject-AAI [Avast] and Troj/Agent-OLK [Eset]

SonicWALL Gateway AntiVirus provides protection against these Worm via the following signatures:

• GAV: Injector.CQX (Worm)
• GAV: Dursg.G (Trojan)

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.