Installation
When the worm runs, it creates folders and variants of itself, both with hidden and system attributes:
- %ProgramFiles%\<random numeric folder name>\<random numeric file name>.js
- %USERPROFILE%\Application Data\%\<random numeric folder name>\<random numeric filename>.js
- %UserProfile%\Start Menu\Programs\Startup\<random numeric file name>.js
For example,
It creates the following registry entry so that it runs each time you start your computer:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Set value: <file name of dropped malware referenced in data> for example, "09"
With data: <"%APPDATA%\random number\random number.js"> for example, "%appdata%\1f6e\09.js"
The worm also checks to see if it's in a virtual environment by checking for the following strings:
If the worm detects that it's in a virtual environment, it will not run.
Spreads via...
Removable drives, and peer-to-peer (P2P) and network shares
The malware spreads by dropping copies of itself in removable and network drives it locates on your computer.
The worm then writes an Autorun configuration file named "autorun.inf" pointing to the worm copy. When the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically.
The worm also creates <random name>.zip file, and copies it to the following P2P file sharing folders:
- ares\my shared folder
- bearshare\shared
- edonkey2000\incoming
- emule\incoming
- grokster\my grokster
- icq\shared folder
- kazaa lite k++\my shared folder
- kazaa lite\my shared folder
- kazaa\my shared folder
- limewire\shared
- morpheus\my shared folder
- My Documents\FrostWire\Shared
- tesla\files
- winmx\shared
Payload
Modifies security settings
The worm lowers your computer's security settings by making the following changes to the registry:
- Turns off system notifications for disabled antivirus, firewall and automatic updates:
In subkey: HKLM\Software\Microsoft\Security Center
Set value: "AntiVirusDisableNotify"
Sets value: "FirewallDisableNotify"
Sets value: "UpdatesDisableNotify"
With data: "1"
In subkey: HKLM\Software\Microsoft\Security Center
Set value: "AntiVirusOverride"
With data: "1"
In subkey: HKLM\SOFTWARE\Microsoft\Security Center\Svc
Set value: "FirewallOverride"
With data: "1"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Set value: "NoWindowsUpdate"
With data: "1"
In subkey: HKLM\SOFTWARE\Policies\Microsoft\MRT
Set value: "DontReportInfectionInformation"
With data: "1"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
Set value: "EnableFirewall"
With data: "0"
- Turns off system restore:
In subkey: HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
Sets value: "DisableConfig"
With data: "1"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Sets value: "SystemRestoreDisableSR"
With data: "1"
- Disables Task Manager and Registry Tools:
In subkey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PoliciesSet
Sets value: "DisableTaskMgr"
Sets value: "DisableRegistryTools"
With data: "1"
Stops security-related processes
The malware stops the following antivirus programs from running on your computer:
- Alwil Software
- AVAST Software
- AVG
- Avira
- ESET
- F-Secure
- Kaspersky Lab
- Malwarebytes' Anti-Malware
- McAfee
- Microsoft Security Client
- Microsoft Security Essentials
- Panda Security
- Spyware Doctor
- Symantec
- Trend Micro
The worm may block access to the security-related domains, associated with the antivirus programs listed above.
Modifies your computer's settings
The worm overrides the display settings so files with the 'hidden' attribute are not displayed; it does this by making the following registry modification:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "Hidden"
With data: "2"
It also hides file name extensions from view by making the following change to the registry:
In subkey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "HideFileExt"
With data: "1"
The worm makes the following changes to the registry to disable the Windows Security Center service settings:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Sets value: "Start"
With data: "4"
It disables the homepage settings in Internet Explorer by making the following changes to the registry:
In subkey: HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel
Sets value: "HomePage”
With data: "1"
Contacts remote hosts
The worm attempts to contact the remote command-and-control (C&C) server to download additional configuration files and updates of itself.
In the wild, we have observed it contacting the following server for this purpose:
jsh37.net
It gathers the following information from yur computer and sends it back to the C&C server:
The version of Windows installed on your computer
- Your computer's name
- The presence of an antivirus solution on your computer
- Your computer's CPU information
- Your computer's BIOS information
Analysis by Marianne Mallen
