Worm:Win32/Ambler.A is a worm that spreads via removable drives, and attempts to steal sensitive information, such as passwords, from an affected computer.
Installation
When run, Worm:Win32/Ambler.A drops several randomly-named files onto the system. These file names vary from one instance of Ambler to the next, but in the wild one example has been observed to create the following files:
- <system folder>\inform.dat - an encrypted copy of itself
- <system folder>\klpl1.dll
- <system folder>\uiv
- %APPDATA%\<random folder name>\<random file name>.dll - for example, "fkhneec.dll"
- %APPDATA%\<random folder name>\<random file name> - an encrypted copy of itself
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
Ambler launches the dropped DLL component and registers itself as a BHO. It makes a number of registry modifications in order to facilitate its actions on the affected computer. For example, one variant made the following registry modifications:
Sets value: "(Default)"
With data: "DCOM service"
Sets value: "Locale"
With data: "EN"
Sets value: "StubPath"
With data: "rundll32 klpl1.dll,laspi"
Sets value: "IsInstalled"
With data: "1"
Sets value: "Version"
With data: "4,3,6,3"
To subkey: HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{859374EE-7A74-4844-A161-33A579B1C4A6}
Sets value: "BN"
With data: "@g[g."
To subkey: HKLM\Software\MSN
Sets value: "(default)"
With data: "msn helper"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{D62023F8-B0B6-4381-8C85-D07E5C45CA76}
Sets value: "(default)"
With data: "klpl1.dll"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{D62023F8-B0B6-4381-8C85-D07E5C45CA76}\InprocServer32
Sets value: "(default)"
With data: "glok"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{D62023F8-B0B6-4381-8C85-D07E5C45CA76}\ProgID
Sets value: "(default)"
With data: "{7357e059-704b-43b2-b82a-024510b52945}"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{D62023F8-B0B6-4381-8C85-D07E5C45CA76}\TypeLib
Sets value: "dcom"
With data: "rundll32.exe klp1l.dll,ID"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Sets value: "lpc"
With data: "rundll32.exe"%APPDATA\sun\fkhneec.dll", registerdll"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Spreads via…
Removable drives
Ambler may attempt to spread via removable drives. It does this by creating a directory called RECYCLER in the root of the removable drive. In then copies itself into this directory, with a file name such as “recycld.exe”. For example:
<targeted drive>:\RECYCLER\recycld.exe
The worm also creates an autorun.inf file in the root directory of the drive in order to launch the worm if, for example, the drive is connected to another machine.
The worm sets the hidden and system attributes for all of the aforementioned directories and files.
Payload
Steals sensitive information
This worm attempts to steal stored passwords from the following locations:
-
Microsoft Outlook Express
-
Internet Explorer password protected sites
-
MSN Explorer Signup
-
Internet Explorer auto complete fields
-
Internet Explorer auto complete passwords
-
Internet cookies
-
Passwords stored in pstore.dll
It may then create the following files in the <system folder> in order to store the stolen data:
m1.dat
o6.dat
br1.dat
ca.dat
nk.dat
o3.dat
l4.dat
jc.dat
c2d.dat
idm.dat
pld.dat
q1.dat
ck.dat
bx.dat
xd.dat
Another in the wild variant of this malware created data files in a randomly named folder within the "Application Data" folder, as in the following examples:
%APPDATA%\sun\crff.txt
%APPDATA%\sun\xkelf.txt
%APPDATA%\sun\ffefx.txt
%APPDATA%\sun\rwbbr.txt
%APPDATA%\sun\cetw.txt
%APPDATA%\sun\vntw.txt
%APPDATA%\sun\vwvn.txt
%APPDATA%\sun\lfmt.txt
%APPDATA%\sun\cngrh.txt
Stolen data is sent to a remote attacker. In the wild, Worm:Win32/Ambler.A has been observed to contact the following servers for this purpose:
-
testthenewsource.net
-
zhogdiana.info
Modifies Windows settings
Win32/Ambler modifies registry data to disable Windows Task Manager and Windows Registry Editor utilities.
Sets value: "DisableTaskMgr"
With data: "1"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "DisableRegistryTools"
With data: "1"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
The malware makes other registry modifications including the following:
Sets value: "Enabled"
With data: "0"
To subkey: HKCU\Software\Microsoft\Internet Explorer\PhishingFilter
Sets value: "D1"
With data: "y}||fp&s|r9przp"
To subkey: HKCU\Software\Microsoft\Clock
Analysis by Tim Liu
