Security News

Rayon – Removable Storage Worm (Apr 13, 2011)

By

SonicWALL UTM Research team observed a new variant of Rayon worm spreading in the wild. It disables various windows security features as well as security applications that may be used to detect the presence of the malware. The worm spreads through removable storage.

The executables use misleading icons and names as seen below:

screenshot

It performs the following activities when executed:

  • It creates the following copies of itself on the local drive:
    • %appdata%MicrosoftNetworkexplorer.exe [Detected as GAV: Rayon.CG (Worm)]
    • iPhone Ringtone.exe [Detected as GAV: Rayon.CG (Worm)]
    • Symbian Ringtone.exe [Detected as GAV: Rayon.CG (Worm)]
    • WindowsMobile Ringtone.exe [Detected as GAV: Rayon.CG (Worm)]

  • It creates the following copies of itself on attached removable storage drives:
    • RECYCLERRECYCLED.{645FF040-5081-101B-9F08-00AA002F954E}autorun.exe [Detected as GAV: Rayon.CG (Worm)]
    • iPhone Ringtone.exe [Detected as GAV: Rayon.CG (Worm)]
    • Symbian Ringtone.exe [Detected as GAV: Rayon.CG (Worm)]
    • WindowsMobile Ringtone.exe [Detected as GAV: Rayon.CG (Worm)]

  • It creates autorun.inf file on removable storage drives with the following contents:
        screenshot

  • It creates the following registry entry to ensure that the worm runs on every system reboot:
    • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun:”%appdata%MicrosoftNetworkexplorer.exe”

  • It disables the following services:
    • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesDnscache – This service caches DNS resolutions.
    • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesERSvc – This is the error reporting service.
    • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccess – This service is responsible for NAT, addressing and name resolution.
    • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceswuauserv – This is the auto-update service.
    • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesDCOM Client LauncherSecurity – Windows firewall cannot run when DCOM is disabled.
  • It prevents security applications from being run by creating the registry entry “HKEY_USERSS-1-5-21-1275210071-573735546-839522115-1003SoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerDisallowRun” with the following values:
    • 360rpt.exe
    • 360safe.exe
    • 360Safe.exe
    • 360safebox.exe
    • 360tray.exe
    • adam.exe
    • AgentSvr.exe
    • AppSvc32.exe
    • avconsol.exe
    • autoruns.exe
    • avgrssvc.exe
    • AvMonitor.exe
    • avp.com
    • avp.exe
    • CCenter.exe
    • ccSvcHst.exe
    • EGHOST.exe
    • FTCleanerShell.exe
    • FYFireWall.exe
    • FileDsty.exe
    • HijackThis.exe
    • IceSword.exe
    • Iparmor.exe
    • iparmo.exe
    • kabaload.exe
    • isPwdSvc.exe
    • KaScrScn.SCR
    • KASMain.exe
    • KASTask.exe
    • KAV32.exe
    • KAVDX.exe
    • KAVPF.exe
    • KAVPFW.exe
    • KAVSetup.exe
    • KAVStart.exe
    • KISLnchr.exe
    • KMailMon.exe
    • KMFilter.exe
    • KPFW32.exe
    • KPFW32X.exe
    • KPfwSvc.exe
    • KPFWSvc.exe
    • KRepair.com
    • KRegEx.exe
    • KsLoader.exe
    • KVCenter.kxp
    • KvDetect.exe
    • KvfwMcl.exe
    • KVMonXP.kxp
    • kvol.exe
    • KVMonXP_1.kxp
    • kvolself.exe
    • KvReport.kxp
    • KVScan.kxp
    • KVSrvXP.exe
    • KVStub.kxp
    • kvupload.exe
    • kvwsc.exe
    • KvXP.kxp
    • KvXP_1.kxp
    • KWatch.exe
    • KWatch9x.exe
    • KWatchX.exe
    • MagicSet.exe
    • mcconsol.exe
    • mmqczj.exe
    • mmsk.exe
    • Navapsvc.exe
    • Navapw32.exe
    • nod32.exe
    • nod32krn.exe
    • nod32kui.exe
    • NPFMntor.exe
    • OllyDBG.exe
    • OllyICE.exe
    • PFW.exe
    • PFWLiveUpdate.exe
    • QHSET.exe
    • procexp.exe
    • QQDoctor.exe
    • QQKav.exe
    • Ras.exe
    • RavMonD.exe
    • RavStub.exe
    • RawCopy.exe
    • RegClean.exe
    • RegTool.exe
    • rfwcfg.exe
    • rfwmain.exe
    • RfwMain.exe
    • rfwProxy.exe
    • rfwsrv.exe
    • rfwstub.exe
    • RsAgent.exe
    • Rsaupd.exe
    • runiep.exe
    • safebank.exe
    • safeboxTray.exe
    • safelive.exe
    • scan32.exe
    • shcfg32.exe
    • SmartUp.exe
    • SREng.exe
    • SysSafe.exe
    • symlcsvc.exe
    • TrojanDetector.exe
    • Trojanwall.exe
    • TrojDie.kxp
    • UIHost.exe
    • UmxAttachment.exe
    • UmxAgent.exe
    • UmxCfg.exe
    • UmxFwHlp.exe
    • UmxPol.exe
    • UpLive.exe
    • vsstat.exe
    • webscanx.exe
    • WinDbg.exe
    • WoptiClean.exe

  • It makes the following HTTP request to a remote IP address:
    • GET /cmd/cmd.php?s=0 HTTP/1.1 – This request returns encrypted data.

  • It launches the browser with advertising pages

SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

GAV: Rayon.CG (Worm)

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.
Recommended Cyber Security Stories
New Adware Trojan plays continuous audio ads (June 14, 2013)
Microsoft Security Bulletins Coverage (Nov 09, 2010)
Ranbyus Banking Trojan, Cousin of Zbot
Apache Range Header Processing DoS (Sep 1, 2011)
The Dell Sonicwall Threats Research team observed reports of a New Malware family named GAV: Venik.RKT actively spreading in the wild.
Microsoft Security Bulletin Coverage for February 2018
SSL 3.0 POODLE Attack (Oct 15, 2014)
UselessDisk: A fake ransomware bootlocker