Installation
When executed Worm:Win32/Dogkild.C copies itself to
It also drops the following files:
-
c:\WINDOWS\extext3227671t.exe (detected as TrojanDownloader:Win32/Dogrobot.D)
-
c:\WINDOWS\system32\drivers\asyncmac.sys (detected as VirTool:WinNT/Dogrobot)
Note: C:\WINDOWS\system32\drivers\asyncmac.sys is a legitimate Windows system file. The worm overwrites this file with VirTool:WinNT/Dogrobot.
Worm:Win32/Dogkild.C also makes the following registry modifications:
Adds value: "lfEscapement"
With data: "0"
To subkey: HKCU\Software\Microsoft\Notepad
Adds value: "RsTray"
With data: "C:\WINDOWS\system32\scvhost.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Spreads via…
Removable and network drives
Worm:Win32/Dogkild.C attempts to copy itself to <drive>\recycle.{645FF040-5081-101B-9F08-00AA002F954E}\rav32.exe on all accessible drives. The worm then writes an autorun configuration file named "autorun.inf" pointing to the worm copy. When the drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.
Payload
Installs additional malware
As mentioned above in the Installation section, Worm:Win32/Dogkild.C drops the following files to an affected computer:
Terminates services
Worm:Win32/Dogkild.C kills the following services on an affected computer:
It also attempts to disable shared access on affected computers.
Modifies system settings
Worm:Win32/Dogkild.C modifies the registry in order to execute the file C:\WINDOWS\system32\scvhost.exe whenever one of the following files is executed:
360delays.exe
360Safebox.exe
360tray.exe
AgentSvr.exe
antiarp.exe
avp.exe
bdagent.exe
ccapp.exe
CCenter.exe
ccEvtMgr.exe
ccSetMgr.exe
ccSvcHst.exe
defwatch.exe
DrUpdate.exe
egui.exe
ekrn.exe
engineserver.exe
FrameworkService.exe
KavStart.exe
KISSvc.exe
kmailmon.exe
KPFW32.exe
KPfwSvc.exe
KSWebShield.exe
KVSrvXP.exe
KWatch.exe
livesrv.exe
LiveUpdate360.exe
mcagent.exe
mcinsupd.exe
mcmscsvc.exe
mcnasvc.exe
McProxy.exe
mcshell.exe
mcshield.exe
mcsysmon.exe
McTray.exe
mcupdmgr.exe
mfeann.exe
mfevtps.exe
MpfSrv.exe
MPMon.exe
MPSVC.exe
MPSVC1.exe
MPSVC2.exe
naPrdMgr.exe
QQDoctor.exe
QQDoctorRtp.exe
Rav.exe
RavMon.exe
RavMonD.exe
RavStub.exe
RavTask.exe
RegGuide.exe
rfwsrv.exe
RsAgent.exe
rsnetsvr.exe
rssafety.exe
RsTray.exe
rtvscan.exe
safeboxTray.exe
ScanFrm.exe
SHSTAT.exe
udaterui.exe
Uplive.exe
vptray.exe
vsserv.exe
vstskmgr.exe
xcommsvr.exe
Analysis by Jaime Wong