Follow:

 

Win32/Tupym


Microsoft security software detects and removes this threat.

This worm can stop some processes from working on your PC. It can also delete your system restore points.

It spreads through malicious links in instant messages sent through Yahoo Messenger and Google Talk. It can also spread through network or removable drives, such as USB flash drives.



What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find hidden malware.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

This threat copies itself to one of the following locations with read-only, hidden and system attributes:

It also creates one of the following autorun files which we detect as Win32/Tupym.A!inf:

It changes the following registry entries so that it runs each time you start your PC:

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Yahoo Messengger"
With data: "<worm copy>", for example, <system folder>\system3_.exe

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Shell"
With data: "explorer.exe <worm copy>", for example "explorer.exe <system folder>\system3_.exe"

It also tries to create a scheduled Windows task that runs the worm at 09:00 every day of the week, by running the following Windows shell command:

  • C:\WINDOWS\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su <worm copy>, for example C:\WINDOWS\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su <system folder>\system3_.exe
Spreads through...

Network shares and removable drives

The worm enumerates connected shared drives by checking the value within the following registry subkey:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares

It copies itself to the root of any discovered shared or removable drives as New Folder.exe. It also copies itself to all folders as <folder name>.exe, where <folder name> is the name of the current folder. It also copies its autorun.ini file as autorun.inf with read-only, hidden and system attributes.

Instant messenger clients

The worm checks if Yahoo Messenger is installed on your PC. If not, it will download and install the application. It adds its own id, for example balu311916, to the Yahoo Messenger contact list and then tries to send out spam messages to existing contacts. The message includes a URL link to a remote server that hosts the malware.

The message content is sourced from the malware configuration file _setting.ini, as outlined in the Payload section below.

If this worm fails to access the above file it will randomly select a message from following the hardcoded list:

  • asl please" & @CRLF & "I am 23 Female, Delhi (India)" & @CRLF & "and you?
  • golden lovers rose screen saver from advgoogle.<removed>.com/love.scr and see more from <malicious site>
  • happy valentine day screen saver and beautiful screen saver from lovers advgoogle.<removed>.com/love.scr and <malicious site>
  • happy valentine day screen saver from advgoogle.<removed>.com/love.scr and get new tips and tricks from <malicious site>
  • happy valentine day screen saver from advgoogle.<removed>.com/love.scr and get new tips and tricks from <malicious site>
  • happy valentine day screen saver from advgoogle.<removed>.com/love.scr and get new tips and tricks from <malicious site>
  • happy valentine day screen saver from advgoogle.<removed>.com/love.scr and get new tips and tricks for lovers <malicious site>
  • happy valentine day screen saver from advgoogle.<removed>.com/love.scr " & @CRLF & " and view secrets from private cam <malicious site>
  • happy valentine day screen saver from advgoogle.<removed>.com/love.scr " & @CRLF & " and view secrets from private cam <malicious site>
  • I LOVE YOUUUUUUUUUUUUU from screensaver advgoogle.<removed>.com/love.scr see more in <malicious site>
  • rose is always red ,see in advgoogle.<removed>.com/love.scr screen saver from <malicious site>

The malware also checks if Google Talk is installed on your PC. If the application is found the worm will use it to send any of the messages listed above to your contacts.

Payload

Stops processes

This worm can stop the following utilities from running on your PC:

  • Windows Task Manager
  • Registry Editor
  • System Configuration
  • Windows Task Manager
  • FireLion

It also terminates the following processes:

  • cmd.exe
  • game_y.exe

The malware won't stop any processes if the file C:\god.txt is found on your PC.

Deletes registry entries 

The malware deletes the following registry entries:

  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\BkavFw
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IEProtection

Removes restore points

The malware removes your system restore points by deleting the System Volume Information folder.

Connects to a remote host

This worm connects to the following servers to download its configuration file and updates:

  • h1.ripway.com/<removed>/setting.ini
  • balu[000 - 024].<removed>/setting.ini

The configuration file is saved to one of the following locations:

It saves its update file as to the same folders using a random file name that is specified in its configuration data.  

Modifies web browser settings

The malware can change the Internet Explorer start and search pages to redirect to a malicious site. We have seen the worm redirect to the following locations: 

  • mydreamworld.<removed>.com
  • advgoogle.<removed>.com  

Additional information

The worm won't run if it detects the following PC names:

  • ALLADIN
  • TARANG
  • PARAM

It also won't run if it detects the following file, used as an infection marker:

  • c:\debug.txt

The presence of the following file will stop this threat from spreading:

  • c:\disk.txt 

Analysis by Diana Lopera


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The presence of the following files:
  • The presence of the following registry entries:

    In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Sets value: "Yahoo Messengger"
    With data: "<worm copy>", for example, <system folder>\system3_.exe

    In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    Sets value: "Shell"
    With data: "explorer.exe <worm copy>", for example "explorer.exe <system folder>\system3_.exe"


Prevention


Alert level: Severe
This entry was first published on: Jun 09, 2010
This entry was updated on: Mar 04, 2015

This threat is also detected as:
  • W32/Tupym.worm (McAfee)
  • WORM_SOHANAD.SM (Trend Micro)
  • Worm.Win32.AutoRun.fnc (Kaspersky)
  • W32/AutoRun-AOA (Sophos)
  • W32.Imaut (Symantec)