Follow:

 

Worm:Win32/Soglueda.A


Worm:Win32/Soglueda.A is a worm that replaces an existing Windows system file named "services.exe" with a copy of itself. Win32/Soglueda.A spreads to other computers by copying itself to removable drives. The worm also installs a key logger that captures user-entered keystrokes and sends the data to a remote server.


What to do now

To detect and remove this threat and other malicious software that may have been installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following: For more information about using antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.
Additional remediation instructions
This threat may make lasting changes to an affected system's configuration that will NOT be restored by detecting and removing this threat. For more information on returning an affected system to its pre-infected state, please see the following information:
 
  • Using the system's recovery options:
  • Disable Autorun functionality
    Worm:Win32/Soglueda.A attempts to spread via removable drives on computers that support Autorun functionality. This is a particularly common method of spreading for many current malware families. For information on disabling Autorun functionality, please see the following article: http://support.microsoft.com/kb/967715/

    Threat behavior

    Worm:Win32/Soglueda.A is a worm that replaces an existing Windows system file named "services.exe" with a copy of itself. Win32/Soglueda.A spreads to other computers by copying itself to removable drives. The worm also installs a key logger that captures user-entered keystrokes and sends the data to a remote server.
    Installation
    When executed, Worm:Win32/Soglueda.A copies itself to "<system folder>\services.exe", replacing the existing Windows system file. The worm also drops a copy of itself as " .cmd" into the Windows system folder.
     
    Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
    Spreads via…
    Removable drives
    Worm:Win32/Soglueda.A may create the following files on targeted drives when spreading:
     
    <targeted drive>:\dllrun.exe
     
    In some instances, the worm copies itself as "rundll.exe". It also places an Autorun configuration file named "autorun.inf" in the root directory of the targeted drive. Autorun configuration files contain execution instructions for the operating system, so that when the removable drive is accessed from another computer supporting the Autorun feature, the malware is launched automatically.

    Note: This worm was observed to write an executable and create an autorun.inf file on a targeted drive in our automated testing environment. This is particularly common malware behavior, generally utilized in order to spread malware from computer to computer. It should also be noted that autorun.inf files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation CDs.
    Payload
    Installs key logger
    The malware creates the following files on an affected computer:
     
    Worm:Win32/Soglueda.A  utilizes code injection in order to hinder detection and removal of the trojan code. When the worm executes, it injects the trojan code "winm.dll into running processes, including the following, for example:
    • cmd.exe
    • csrss.exe
    • explorer.exe
    • winlogon.exe
     
    The trojan key logger records keystrokes and window titles and reports them to a remote host. We have observed the trojan to contact the following remote hosts to send captured data using port 80:
    • bi.aznaryespinosa.com.ar
    • bits.aznaryespinosa.com.ar
    • f.aznaryespinosa.com.ar
    • nico.aznaryespinosa.com.ar
    • servers.aznaryespinosa.com.ar
    • muler.agusting.com.ar
    • winupdate32.sytes.net
    • 174.36.209.138
     
    Changes Windows settings
    The worm modifies the registry to change the default icon for files of type ".EXE" to appear as a text or document file as in the following example:
     
     
    In subkey: HKLM\SOFTWARE\Classes\.exe
    Sets value: "(default)"
    With data: "exefile "
     
    In subkey: HKLM\SOFTWARE\Classes\exefile
    Sets value: "(default)"
    With data: "aplicación"
     
    In subkey: HKLM\SOFTWARE\Classes\exefile \DefaultIcon
    Sets value: "(default)"
    With data: "shell32.dll,2"
     
    Disables programs from running
    Worm:Win32/Soglueda.A deletes registry data that would execute device drivers and services at Windows start.
     
    In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Sets value: "(default)"
    With data: " "
     
    In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Sets value: "(default)"
    With data: " "
     
    Analysis by Vincent Tiu

    Symptoms

    System changes
    The following system changes may indicate the presence of this malware:
    • The presence of the following files:
      <system folder>\winm.dll 
      <targeted drive>:\dllrun.exe

    Prevention


    Alert level: Severe
    First detected by definition: 1.87.146.0
    Latest detected by definition: 1.173.2181.0 and higher
    First detected on: Jul 19, 2010
    This entry was first published on: Nov 24, 2010
    This entry was updated on: Apr 17, 2011

    This threat is also detected as:
    • Trojan-Spy.Win32.Agent.bhpj (Kaspersky)
    • Trojan.ADH (Symantec)