Worm:Win32/DarkSnow.A is a worm that copies itself to attached drives and infects files stored both locally and on attached drives. Some variants may terminate security related applications.
Installation
This worm is installed when a user opens files infected by Virus:O97M/DarkSnow.A or runs files infected with Virus:Win32/DarkSnow.A. When opening a Virus:O97M/DarkSnow.A infected Excel workbook and the macro executes, it creates a new workbook into the XLSTART folder as 'book1.xls' and then infects the newly created workbook and workbooks opened in Excel. The macro contains a base64 encoded copy of Worm:Win32/DarkSnow.A that is dropped when the macro is allowed to execute.
When opening a Virus:O97M/DarkSnow.A infected Word document and the macro executes, it infects the global template 'normal.dot'. Once the global template is infected, it infects newly created documents in Word. Both forms of the macro virus contain a base64 encoded copy of Worm:Win32/DarkSnow.A that is dropped and run as mentioned below.
When a Virus:Win32/DarkSnow.A infected file is run, it drops a copy of Worm:Win32/DarkSnow.A as the following:
%temp%\bk_1.tmp - Worm:Win32/DarkSnow.A
The dropped worm copy is executed and it creates a mutex "blackicemutex". It then copies itself as the following files:
<system folder>\blackice.exe - Worm:Win32/DarkSnow.A
<system folder>\kernel.dll - Worm:Win32/DarkSnow.A
The file properties of 'blackice.exe' are set to system, hidden and read-only. The registry is modified to run the dropped copy 'blackice.exe' at Windows start.
Adds value: "run"
With data: "<system folder>\blackice.exe"
To subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
Modifies value: "Shell"
With data: "Explorer <system folder>\blackice.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
The Windows configuration files 'system.ini' and 'win.ini' are also modified to execute the worm copy at Windows start. The worm makes the following change to '%windir%\win.ini' within the "[load]" section:
run=<system folder>\blackice.exe
The worm makes the following change to '%windir%\system.ini' within the "[boot]" section:
shell=explorer.exe <system folder>\blackice.exe
Note: The configuration files 'system.ini' and 'win.ini' contain driver load parameters and other Windows configurations - they are primarily used by Windows 9x (95/98/Me) and in some cases Windows XP.
Spreads Via…
Removable Drives
A thread is created that copies Worm:Win32/DarkSnow.A to inserted USB drives as the currently running process, usually "blackice.exe" but in some cases "bk_1.tmp". The worm then writes an AutoRun configuration file named 'autorun.inf' pointing to the worm copy. When the removable or networked drive is accessed from another machine supporting the AutoRun feature, the malware is launched automatically.
File Infection
Another thread is created to search all drives and attempt to infect files with extension .EXE, .DOC and .XLS. When an infected executable is run, it drops and installs a copy of the worm as mentioned above. When infecting .DOC and .XLS files, Worm:Win32/DarkSnow.A first checks if the string '<!!blackice>' is present. If the string is not found, the worm then infects the found Microsoft Office format files.
Payload
Terminates Applications
Some variants of this threat may terminate security applications containing strings related to security applications as in the following examples:
360SAFE
ANYVIEW
AVP
EGHOST
IPARMOR
KASPERSKY
KAV32
KAVPFW
KAVSVCUI
KAVSVC
KVMONXP
KVSRVXP
KVFW
KVWSC
KVXP
KWATCHUI
NAVAPSVC
NAVW32
NMAIN
NOD32
PFW
RAV.EXE
RAVMOND
RAVMON
RAVTIMER
RISING
SCAN32
THGUARD
TROJANHUNTER
Collects and Sends Information to Remote Sites
The worm gathers information about the infected computer such as
The worm may download a file 'url.txt' from one of the following predefined remote websites:
fmtwld.zj.com
fmtwld.vicp.net
The file is stored temporarily as '<system folder>\blackice.ini' and may contain a list of other remote websites. The collected data may then be sent in the following format to the remote sites:
<site>?mac=<mac address>&serial=<volume serial number>&hostname=<localhostname>&version=1.1
The temporary file '<system folder>\blackice.ini' is later deleted.
Lowers Macro Security
Worm:Win32/DarkSnow.A lowers Microsoft Word and Excel macro security by modifying registry data.
Modifies value: "Level"
With data: "1"
In subkeys:
HKCU\Software\Microsoft\Office\<version>\Excel\Security
HKCU\Software\Microsoft\Office\<version>\Word\Security
Analysis by Dan Kurc
