Rayon – Removable Storage Worm (Apr 13, 2011)
SonicWALL UTM Research team observed a new variant of Rayon worm spreading in the wild. It disables various windows security features as well as security applications that may be used to detect the presence of the malware. The worm spreads through removable storage.
The executables use misleading icons and names as seen below:
It performs the following activities when executed:
- It creates the following copies of itself on the local drive:
- %appdata%MicrosoftNetworkexplorer.exe [Detected as GAV: Rayon.CG (Worm)]
- iPhone Ringtone.exe [Detected as GAV: Rayon.CG (Worm)]
- Symbian Ringtone.exe [Detected as GAV: Rayon.CG (Worm)]
- WindowsMobile Ringtone.exe [Detected as GAV: Rayon.CG (Worm)]
- It creates the following copies of itself on attached removable storage drives:
- RECYCLERRECYCLED.{645FF040-5081-101B-9F08-00AA002F954E}autorun.exe [Detected as GAV: Rayon.CG (Worm)]
- iPhone Ringtone.exe [Detected as GAV: Rayon.CG (Worm)]
- Symbian Ringtone.exe [Detected as GAV: Rayon.CG (Worm)]
- WindowsMobile Ringtone.exe [Detected as GAV: Rayon.CG (Worm)]
- It creates autorun.inf file on removable storage drives with the following contents:
- It creates the following registry entry to ensure that the worm runs on every system reboot:
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun:”%appdata%MicrosoftNetworkexplorer.exe”
- It disables the following services:
- HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesDnscache – This service caches DNS resolutions.
- HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesERSvc – This is the error reporting service.
- HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccess – This service is responsible for NAT, addressing and name resolution.
- HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceswuauserv – This is the auto-update service.
- HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesDCOM Client LauncherSecurity – Windows firewall cannot run when DCOM is disabled.
- It prevents security applications from being run by creating the registry entry “HKEY_USERSS-1-5-21-1275210071-573735546-839522115-1003SoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerDisallowRun” with the following values:
- 360rpt.exe
- 360safe.exe
- 360Safe.exe
- 360safebox.exe
- 360tray.exe
- adam.exe
- AgentSvr.exe
- AppSvc32.exe
- avconsol.exe
- autoruns.exe
- avgrssvc.exe
- AvMonitor.exe
- avp.com
- avp.exe
- CCenter.exe
- ccSvcHst.exe
- EGHOST.exe
- FTCleanerShell.exe
- FYFireWall.exe
- FileDsty.exe
- HijackThis.exe
- IceSword.exe
- Iparmor.exe
- iparmo.exe
- kabaload.exe
- isPwdSvc.exe
- KaScrScn.SCR
- KASMain.exe
- KASTask.exe
- KAV32.exe
- KAVDX.exe
- KAVPF.exe
- KAVPFW.exe
- KAVSetup.exe
- KAVStart.exe
- KISLnchr.exe
- KMailMon.exe
- KMFilter.exe
- KPFW32.exe
- KPFW32X.exe
- KPfwSvc.exe
- KPFWSvc.exe
- KRepair.com
- KRegEx.exe
- KsLoader.exe
- KVCenter.kxp
- KvDetect.exe
- KvfwMcl.exe
- KVMonXP.kxp
- kvol.exe
- KVMonXP_1.kxp
- kvolself.exe
- KvReport.kxp
- KVScan.kxp
- KVSrvXP.exe
- KVStub.kxp
- kvupload.exe
- kvwsc.exe
- KvXP.kxp
- KvXP_1.kxp
- KWatch.exe
- KWatch9x.exe
- KWatchX.exe
- MagicSet.exe
- mcconsol.exe
- mmqczj.exe
- mmsk.exe
- Navapsvc.exe
- Navapw32.exe
- nod32.exe
- nod32krn.exe
- nod32kui.exe
- NPFMntor.exe
- OllyDBG.exe
- OllyICE.exe
- PFW.exe
- PFWLiveUpdate.exe
- QHSET.exe
- procexp.exe
- QQDoctor.exe
- QQKav.exe
- Ras.exe
- RavMonD.exe
- RavStub.exe
- RawCopy.exe
- RegClean.exe
- RegTool.exe
- rfwcfg.exe
- rfwmain.exe
- RfwMain.exe
- rfwProxy.exe
- rfwsrv.exe
- rfwstub.exe
- RsAgent.exe
- Rsaupd.exe
- runiep.exe
- safebank.exe
- safeboxTray.exe
- safelive.exe
- scan32.exe
- shcfg32.exe
- SmartUp.exe
- SREng.exe
- SysSafe.exe
- symlcsvc.exe
- TrojanDetector.exe
- Trojanwall.exe
- TrojDie.kxp
- UIHost.exe
- UmxAttachment.exe
- UmxAgent.exe
- UmxCfg.exe
- UmxFwHlp.exe
- UmxPol.exe
- UpLive.exe
- vsstat.exe
- webscanx.exe
- WinDbg.exe
- WoptiClean.exe
- It makes the following HTTP request to a remote IP address:
- GET /cmd/cmd.php?s=0 HTTP/1.1 – This request returns encrypted data.
- It launches the browser with advertising pages
SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:
GAV: Rayon.CG (Worm)