Follow:

 

Worm:Win32/Ructo.J


Worm:Win32/Ructo.J is a worm that spreads via Windows Live Messenger. It also lowers system security settings and downloads other malicious files from a remote server.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

Worm:Win32/Ructo.J may download additional malware that attempts to steal sensitive and confidential information from affected users in order to perpetrate fraud. If you believe that your personal financial information may have been compromised, please refer to the following advisory for additional advice:

Additional remediation instructions for Worm:Win32/Ructo.J

This threat may make lasting changes to a computer's configuration that are NOT restored by detecting and removing this threat. For more information on returning an infected computer to its pre-infected state, please see the following article/s:

 For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

Worm:Win32/Ructo.J is a worm that spreads via Windows Live Messenger. It also lowers system security settings and downloads other malicious files from a remote server.

Installation

When executed, Worm:Win32/Ructo.J drops the following files:

  • <Computer name>mplayer2.exe - copy of itself
  • <Computer name>mac.exe - malicious component also detected as Worm:Win32/Ructo.J

It then creates the following registry entry to be able to execute itself every time Windows starts:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "wmplayer"
With data: "<Computer name>mplayer2.exe"
Sets value: "mac"
With data: "<Computer name>mac.exe"

Worm:Win32/Ructo.J then opens an Internet Explorer window to the following webpage:

  • youtube.com/watch?v=Bb_9w_9sroE
Spreads via...

Windows Live Messenger

For it to spread via Windows Live Messenger, Worm:Win32/Ructo.J first checks the version of the file "%ProgramFiles%\Messenger\msgsc.dll". If the file version is not 4.7.0.3001, which is an old version, then it downloads the following:

  • videoschatjogos.servegame.com/part/win.rar

and saves it as "%ProgramFiles%\Messenger\msgsc.dll".

It then checks Windows Live Messenger for the following statuses:

  • MISTATUS_ONLINE
  • MISTATUS_AWAY
  • MISTATUS_BE_RIGHT_BACK
  • MISTATUS_BUSY
  • MISTATUS_UNKNOWN

If any of these statuses are found, Worm:Win32/Ructo.J attempts to send messages containing a hyperlink to the affected user's contacts. The hyperlink may point to a remotely-hosted copy of the worm.

In the wild, it has been observed to send out the following hyperlinks:

  • ferreirasilva678.com/<removed>.php
  • limamagalhaes.com/<removed>.php
  • limamagalhaes.tempsite.ws/<removed>.php
  • ssl5211.websiteseguro.com/ferreirasilva678/<removed>.php
  • ssl5474.websiteseguro.com/limamagalhaes/<removed>.php
Payload

Terminates processes

The malicious component dropped file "mac.exe" is responsible for terminating the following security-related processes if found in the affected computer:

  • AVGIDSAgent.exe
  • avgchsvx.exe
  • avgcsrvx.exe
  • avgemcx.exe
  • avgidsmonitor.exe
  • avgnsx.exe
  • avgrsx.exe
  • avgtray.exe
  • avgui.exe
  • avast.setup
  • AvastSvc.exe
  • AvastUI.exe

Lowers system security settings

Worm:Win32/Ructo.J lowers system security settings by creating the following registry entries:

In subkey: HKCU\Software\Microsoft\Internet Explorer\Download
Sets value: "RunInvalidSignatures"
With dataL "00000001"

In subkey: HKCU\Software\Microsoft\Internet Explorer\Download
Sets value: "CheckExeSignatures"
With dataL "no"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
Sets value: "SaveZoneInformation"
With dataL "00000001"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
Sets value: "LowRiskFileTypes"
With dataL ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;.scr;"

Downloads and executes arbitrary files

Worm:Win32/Ructo.J downloads the following files related to the Win32/Banker family:

  • vipshost1.myvnc.com/imagem/dll.rar - saved as "rEvents.dll" and registered as a Browser Helper Object
  • masterhost1.myvnc.com/imagem/up.rar - saved and executed as "up.exe"

Gathers chat logs

Worm:Win32/Ructo.J also the capability to gather chat logs or archives stored in the affected computer. It then sends these logs to a specific email address.

Analysis by Ric Robielos

 


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The presence of the following files:
    • <Computer name>mplayer2.exe
    • <Computer name>mac.exe
  • The presence of the following registry modifications:
    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "wmplayer"
    With data: "<Computer name>mplayer2.exe"
    Sets value: "mac"
    With data: "<Computer name>mac.exe"
  • The following processes do not run properly:
    • AVGIDSAgent.exe
    • avgchsvx.exe
    • avgcsrvx.exe
    • avgemcx.exe
    • avgidsmonitor.exe
    • avgnsx.exe
    • avgrsx.exe
    • avgtray.exe
    • avgui.exe
    • avast.setup
    • AvastSvc.exe
    • AvastUI.exe

Prevention


Alert level: Severe
First detected by definition: 1.109.1292.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Aug 08, 2011
This entry was first published on: Aug 08, 2011
This entry was updated on: Sep 05, 2011

This threat is also detected as:
No known aliases