Worm:Win32/Esfury.gen!A is a generic detection for a worm that spreads to all removable and network drives and connects to certain websites. The worm changes Internet Explorer's start page, as well as other system settings, that may lower the overall security of the computer.
Installation
When run, Worm:Win32/Esfury.gen!A drops a copy of itself as the following:
For example, "c:\documents and settings\administrator\administrator1\winlogon.exe". The registry is modified to run the worm copy at each Windows start.
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "NVIDIA Media Center Library"
To data: %UserProfile%\<user name>1\winlogon.exe"
In subkey: HKCU\Software\MicrosoftWindows\Currentversion\Run
Sets value: "NVIDIA Media Center Library"
To data: %UserProfile%\<user name>1\winlogon.exe"
It also injects code into the process "svchost.exe".
Spreads via…
Removable and network drives
Worm:Win32/Esfury.gen!A spreads to removable and network drives by dropping a copy of itself as the following:
The worm then writes an Autorun configuration file named "autorun.inf" pointing to the worm copy. When the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically.
Payload
Modifies Windows system settings
Worm:Win32/Esfury.gen!A modifies registry data that affect the overall security of the computer.
Modifies Internet Explorer settings
Worm:Win32/Esfury.gen!A changes the start page of Internet Explorer by modifying the following registry entry:
In subkey: HKCU\Software\Microsoft\Internet Explorer\Main
Sets value: "Start Page"
With data: "http://www.nuevaq.fm"
In subkey: HKCU\Software\Microsoft\Internet Explorer\Main
Modifies value: "Start Page"
With data: "http://0-2-t-9-r-6-p-4-4-4-s-0-h-e-.i-k-r-g-1-0-u-5-1-f-3-g-li-9-p-1-x-t-6-g-l-8-m-q-y-s-k-6-l.info"
In subkey: HKCU\Software\Microsoft\Internet Explorer\Main
Modifies value: "Start Page"
With data: "http://7-.j-z-0-3-0-u-u-x-f-1l-3-l-h-w-b-q-z-u-5-n-l-l-m-s-5-v-s-z-g.info"
Modifies Hosts file
Worm:Win32/Esfury.gen!A modifies the Windows Hosts file. The local Hosts file overrides the DNS resolution of a website URL to a particular IP address. Malicious software may make modifications to the Hosts file in order to redirect specified URLs to different IP addresses. Malware often modifies an affected computer's Hosts file in order to stop users from accessing websites associated with particular security-related applications (such as antivirus for example).
Connects to certain websites
Worm:Win32/Esfury.gen!A may contact the following remote hosts using port 80:
67.202.94.94 (whos.amung.us)
173.192.225.170 (widgets.amung.us)
74.55.58.170 (www.cheaps1.info, www.nuevaq.fm)
Analysis by Wei Li
