Follow:

 

Worm:Win32/Refroso.A


Worm:Win32/Refroso.A is a worm that stops Windows Security Center and attempts to spread to other computers across a network by exploiting a vulnerability in Windows.


What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as Microsoft Security Essentials, or the Microsoft Safety Scanner. For more information about using antivirus software, see http://www.microsoft.com/security/antivirus/av.aspx.
 
Microsoft strongly recommends that users apply the latest available Security Bulletins, including the update referred to in Security Bulletin MS08-067.

Threat behavior

Worm:Win32/Refroso.A is a worm that stops Windows Security Center and attempts to spread to other computers across a network by exploiting a vulnerability in Windows.
Installation
When run, this worm copies itself to the Windows folder as "usb_drv.exe". The registry is modified to run the dropped worm copy at each Windows start.
 
Adds value: "Universal  Bus device"
With data: "usb_drv.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 
The worm terminates if it determines if any of the following security tools are being used:
  • Wireshark Network Analyzer
  • Process Monitor
  • File Monitor
  • Registry Monitor
Spreads Via…
Networked computers
Worm:Win32/Refroso.A attempts to locate vulnerable networked computers that have not applied Security Bulletin MS08-067. The worm exploits the target computer on the network in order to copy itself to the vulnerable machine.
 
Mapped drives
The worm copies itself to mapped drives as "usb_drv.exe". The worm then writes an autorun configuration file named "autorun.inf" pointing to the worm copy. When the drive is accessed from a machine supporting the Autorun feature, the worm is launched automatically.
Payload
Stops Windows Security Center service
The worm drops a batch script file in the root of the local drive as "x.bat" and runs the dropped script. The script attempts to stop Windows Security Center using the Windows utility "NET.EXE" as in the following example:
 
net stop "Security Center"
 
Downloads arbitrary files
The worm attempts to get the IP address of the local machine by connecting to the following servers:

w ww.whatismyip.com
checkip.dyndns.org
 
The trojan then sends machine information from the infected machine to the remote server "virtual-rejects.com". The worm may download executable updates from the remote server.
 
Analysis by Jaime Wong

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • The presence of the following files:
    %windir%\usb_drv.exe
  • The presence of the following registry modifications:
    Value: "Universal  Bus device"
    With data: "usb_drv.exe"
    In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Prevention


Alert level: Severe
First detected by definition: 1.71.14.0
Latest detected by definition: 1.155.1794.0 and higher
First detected on: Nov 19, 2009
This entry was first published on: Nov 19, 2009
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Win-Trojan/Refroso.27136 (AhnLab)
  • Win32/Refroso.E (CA)
  • Win32/AutoRun.IRCBot.BG (ESET)
  • Trojan.Win32.Refroso.bck (Kaspersky)
  • Backdoor-DVB (McAfee)
  • W32/Smalldoor.GJGE (Norman)
  • Trj/Buzus.AH (Panda)
  • Troj/BRMCrypt-A (Sophos)
  • Trojan.Refroso.FR (VirusBuster)
  • TrojanDropper:Win32/Refroso.A (other)