Virus:Win32/DarkSnow.A is a virus that infects files with extension .DOC, .XLS and .EXE.
Installation
This virus is installed when a user opens files infected by
Virus:O97M/DarkSnow.A or runs
Worm:Win32/DarkSnow.A. When Worm:Win32/DarkSnow.A is run, a thread is created to search all drives and attempt to infect files with extension .EXE, .DOC and .XLS.
Spreads Via…
File Infection
When executing Virus:Win32/DarkSnow.A infected files, the virus drops a copy of Worm:Win32/DarkSnow.A as '%temp%\bk_1.tmp'. The dropped worm copy is executed and it creates a mutex "blackicemutex". It then copies itself as the following files:
<system folder>\blackice.exe - Worm:Win32/DarkSnow.A
<system folder>\kernel.dll - Worm:Win32/DarkSnow.A
The file properties of 'blackice.exe' are set to system, hidden and read-only. A thread is created to search all drives and attempt to infect files with extension .EXE, .DOC and .XLS.
When infecting .DOC and .XLS files, Worm:Win32/DarkSnow.A first checks if the string '<!!blackice>' is present. If the string is not found, the worm then infects the found Microsoft Office format files.
When infecting .EXE files, the virus appends a section called "blackice" at the end of the host file.
Payload
Installs Worm:Win32/DarkSnow.A
The registry is modified to run the dropped worm copy 'blackice.exe' at Windows start.
Adds value: "run"
With data: "<system folder>\blackice.exe"
To subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
Modifies value: "Shell"
With data: "Explorer <system folder>\blackice.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
The Windows configuration files 'system.ini' and 'win.ini' are also modified to execute the worm copy at Windows start. The worm makes the following change to '%windir%\win.ini' within the "[load]" section:
run=<system folder>\blackice.exe
The worm makes the following change to '%windir%\system.ini' within the "[boot]" section:
shell=explorer.exe <system folder>\blackice.exe
Note: The configuration files 'system.ini' and 'win.ini' contain driver load parameters and other Windows configurations - they are primarily used by Windows 9x (95/98/Me) and in some cases Windows XP.
Additional Information
For more information about
Worm:Win32/DarkSnow.A, see the description elsewhere in the malware encyclopedia.
Analysis by Dan Kurc
