Virus:O97M/DarkSnow.A is an Office 97 format macro virus that infects the Microsoft Word and Excel environment. This virus also drops and executes Worm:Win32/Darksnow.A on the infected system.
Installation
This virus is installed when a user opens files infected by Virus:O97M/DarkSnow.A or runs files infected with Virus:Win32/DarkSnow.A. When opening a Virus:O97M/DarkSnow.A infected Excel workbook and the macro executes, it creates a new workbook into the XLSTART folder as '
book1.xls' and then infects the newly created workbook and workbooks opened in Excel. The macro contains a base64 encoded copy of Worm:Win32/DarkSnow.A that is dropped when the macro is allowed to execute.
When opening a Virus:O97M/DarkSnow.A infected Word document and the macro executes, it infects the global template 'normal.dot'. Once the global template is infected, it infects newly created documents in Word. Both forms of the macro virus contain a base64 encoded copy of Worm:Win32/DarkSnow.A that is dropped and run as mentioned below.
Payload
Installs and Executes Worm:Win32/DarkSnow.A
If the macro is allowed to run, it drops an embedded binary as the following:
The dropped malware is executed and it copies itself as the following files:
The file properties of 'blackice.exe' are set to system, hidden and read-only. The registry is modified to run the dropped copy 'blackice.exe' at Windows start.
Adds value: "run"
With data: "<system folder>\blackice.exe"
To subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
Modifies value: "Shell"
With data: "Explorer <system folder>\blackice.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
The Windows configuration files 'system.ini' and 'win.ini' are also modified to execute the worm copy at Windows start. The worm makes the following change to '%windir%\win.ini' within the "[load]" section:
run=<system folder>\blackice.exe
The worm makes the following change to '%windir%\system.ini' within the "[boot]" section:
shell=explorer.exe <system folder>\blackice.exe
Note: The configuration files 'system.ini' and 'win.ini' contain driver load parameters and other Windows configurations - they are primarily used by Windows 9x (95/98/Me) and in some cases Windows XP.
Additional Information
For more information about
Worm:Win32/DarkSnow.A see our descriptions elsewhere in the malware encyclopedia.
Analysis by Dan Kurc
