Threat behavior
Worm:Win32/Cubspewt.A is a worm that modifies certain system settings.
Installation
Worm:Win32/Cubspewt.A drops the following files in the hidden folder 'C:\Windows\system32 \':
- smss.exe - copy of itself; has a file name similar to an existing Windows file in the actual Windows system folder
Note that the folder name 'system32 ', which is created by this worm, includes a space character. This ensures that the folder is hidden in the system and thus is not seen by the user.
It ensures that its dropped copy is run every time an executable file is run in the system:
Modifies value: "(Default)"
From data: ""%1" %*"
To data: ""C:\Windows\system32 \smss.exe" "%1" %*"
To subkey: HKCR\exefile\shell\open\command
Worm:Win32/Cubspewt.A also modifies the system registry so that its dropped copy automatically runs every time Windows starts:
Adds value: "userinit"
With data: "<system folder>\userinit.exe, C:\Windows\system32 \smss.exe"
To subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon
It also creates the following entries as part of its installation routine:
Adds value: "id"
With data: "1"
Adds value: "Name"
With data: "SMS Services"
To subkey: HKCU\Console
Spreads via…
Removable drives
Worm:Win32/Cubspewt.A copies itself into all removable drives as the file 'smss.exe'. It also drops the file 'autorun.inf' to ensure that its copy is automatically run when the drive is accessed and Autorun is enabled.
Payload
Modifies system settings
Worm:Win32/Cubspewt.A changes several system settings, including:
- Disables Windows service pack updates via Windows Update or Auto Update (WU/AU)
Adds value: "DoNotAllowXPSP2"
With data: "01, 00, 00, 00"
Adds value: "DoNotAllowXPSP3"
With data: "01, 00, 00, 00"
To subkey: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
- Hides system files and disables the Windows Explorer option to show all files:
Adds value: "ShowSuperHidden"
With data: "0"
Adds value: "Hidden"
With data: "0"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Adds value: "CheckedValue"
With data: "0"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
- Modifies system firewall policy to allow its copy to access the network:
Adds value: "C:\Windows\system32 \smss.exe"
With data: "C:\Windows\system32 \smss.exe:*:Enabled:SMS Services"
To subkey: HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Adds value: "C:\Windows\system32 \smss.exe"
With data: "C:\Windows\system32 \smss.exe:*:Enabled:SMS Services"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
- Disables DCOM protocol on the system:
Modifies value: "EnableDCOM"
From data: "Y"
To data: "N"
To subkey: HKLM\SOFTWARE\Microsoft\Ole
Connects to a remote server
Worm:Win32/Cubspewt.A may connect to a remote server to download certain settings, such as where to download updates to itself. The downloaded settings file is saved in the 'system32 ' subfolder as win.log.
Analysis by Jaime Wong
Prevention
