Worm:Win32/Katar.A is a detection for malware that spreads by email, and copies itself to network shares and removable drives. The worm also disables services and closes application windows containing certain strings.
Installation
Worm:Win32/Katar.A copies itself as one of the the following:
- %SystemRoot%\system32\KHATRA.exe
- %SystemRoot%\Xplorer.exe
- %SystemRoot%\system\ghost.exe
- %SystemRoot%\KHATARNAKH.exe
Worm:Win32/Katar.A makes the following registry modifications in so the worm runs at each system start:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Taskman"
With data: "%SystemRoot%\system32\KHATRA.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Xplorer"
With data: "%SystemRoot%\Xplorer.exe /Windows"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Sets value: "G_Host"
With data: "%SystemRoot%\system\ghost.exe /Reproduce"
In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
Sets value: "Load"
With data: "%SystemRoot%\system32\KHATRA.exe"
The worm adds scheduled tasks to run the copied file by running following command:
AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su "%SystemRoot%\system32\KHATRA.exe"
Worm:Win32/Katar.A adds one of copied files to the list of applications that are authorized to access the Internet without being stopped by the Firewall by running the following command:
netsh firewall add allowedprogram program=%SystemRoot%\system32\KHATRA.exe name=System
Spreads via…
Removable and network drives
Worm:Win32/Katar.A copies itself to the A: drive as the following:
<user name>.exe
Worm:Win32/Katar.A creates a copy of itself in the root of all drives, network shares and "<USERPROFILE>\Local Settings\Application Data\Microsoft\CD Burning\" as "KHATRA.exe" with 'system', 'read only' and 'hidden' attributes.
The worm then writes an autorun configuration file named "autorun.inf" pointing to "AutoRun.exe". When the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically.
Worm:Win32/Katar.A copies itself as <folder name>.exe to all directories and sub-directories of removable drives, "<USERPROFILE>\Local Settings\Application Data\Microsoft\CD Burning\" and network shares, where <folder name> refers to all the directory names in the network share and its sub-directories.
Email
Worm:Win32/Katar.A attaches itself to emails which are sent to all Outlook contacts. The subjects and bodies pair can be any one of following:
Subject: "checkout this beauty"
Body: "just checkout this girl posing in a Red bikini!"
Subject: "my new screensaver"
Body: "just watch my new screensaver, i have made it myself!"
Subject: "Conratulations you are our randomly picked winner"
Body: "Conratulations! you have just won a free screensaver, so go ahead and download the attachment. Don't worry no viruses or malware of any kind 100% guaranteed."
Subject: "the new Fast Heal Anti-Virus has just been released"
Body: "Fast Heal Anti-Virus has been released so forget about the boring old Quick Heal and download this free version. Just download the attachment and run the file, that will automatically download the free version."
Subject: "Mario game FREE!"
Body: "The Mario is Back! so throw away all those other games, the real Mario is here. So don't wait for any other minute, Just start playing!"
Subject: "50% discount on Kaspersky Anti-Virus!"
Body: "Hurry download the attachment now! That is the only way to get a 50% discount or a free version of Kaspersky Anti-Virus. After downloading, run the file which will automatically download the latest version alailable."
Subject: "Free videos from YouTube!"
Body: "Hello! I have just downloaded this software that allows me to download any video from youtube for free, so i attached that software in this message. Try it, its great!"
Subject: "Hacking software i have finally got it!"
Body: "Guess what, I have just downloaded this software that allows me to hack on someone else’s computer. I just read the help file once and used it and it works! I have also sent you a copy, try it."
Subject: "My new program"
Body: "Hi, I have just created a new program that searches and deletes temporary unused files and recovers some disk space. I have mailed that file to you, try it and tell me if you like it."
Subject: "supermodels pictures slideshow"
Body: "open this attachment and run the file, it contains the picture slideshow of some supermodels."
Payload
Closes windows
Worm:Win32/Katar.A monitors open windows and attempts to close them if their title contains a string from the following list:
- Anti-Virus
- Anti Virus
- AntiVirus
- virus scan
- Virus-Scan
- processes
- process
- registry
- Registry Editor
- Command Prompt
- System Configuration
- System Information
- www.sysinternals.com
Terminates processes
Worm:Win32/Katar.A attempts to terminate processes with the following file names if the are already running:
-
Anti-Trojan.exe
-
ANTS.exe
-
apvxdwin.exe
-
ATCON.exe
-
ATUPDATER.exe
-
ATWATCH.exe
-
AUPDATE.exe
-
AUTODOWN.exe
-
AUTOTRACE.exe
-
AUTOUPDATE.exe
-
Avconsol.exe
-
AVP.exe
-
AVP32.exe
-
avpcc.exe
-
avpm.exe
-
AVPUPD.exe
-
Avsynmgr.exe
-
AVWUPD32.exe
-
AVXQUAR.exe
-
bdmcon.exe
-
bdoesrv.exe
-
bdss.exe
-
CMGrdian.exe
-
drwebupw.exe
-
GUARD.exe
-
iamapp.exe
-
iamserv.exe
-
ICLOAD95.exe
-
ICLOADNT.exe
-
ICMON.exe
-
ICSSUPPNT.exe
-
ICSUPP95.exe
-
ICSUPPNT.exe
-
LUCOMSERVER.exe
-
MCAGENT.exe
-
mcupdate.exe
-
MINILOG.exe
-
MOOLIVE.exe |
-
NAVAPW32.exe
-
NMAIN.exe
-
NPROTECT.exe
-
NSCHED32.exe
-
NUPGRADE.exe
-
regedit.exe
-
regedt32.exe
-
RuLaunch.exe
-
Vshwin32.exe
-
VsStat.exe
-
zatutor.exe
-
zonealarm.exe
-
IEProt.exe
-
bdss.exe
-
vsserv.exe
-
mmc.exe
-
game_y.exe
-
HijackThis.exe
-
QHM32.EXE
-
QHONLINE.EXE
-
QHONSVC.EXE
-
MAILSVR.EXE
-
CATEYE.EXE
-
UPSCHD.EXE
-
O2KCHECK.EXE
-
QHSTRT32.exe
-
avgnt.exe
-
avguard.exe
-
sched.exe
-
PccGuide.exe
-
PcCtlCom.exe
-
Tmntsrv.exe
-
TmpFw.exe
-
Tmproxy.exe
-
TeaTimer.exe
-
SpybotSD.exe
-
blindman.exe |
Disables auto start for selected programs
Worm:Win32/Katar.A attempts to delete following registry entries in order to disable auto start for selected programs:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: QH Live Update Scheduler
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: QH Office 2K Check
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: Quick Heal e-mail Protection
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: Quick Heal Messenger
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: Quick Heal On-Line Protection
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: Quick Heal Startup Scan
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: Email Protection
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: Messenger
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: On-Line Protection
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: Startup Scan
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: Update Scheduler
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: pccguide.exe
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: avast!
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: BkavFw
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: SpybotSD TeaTimer
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: AVP
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: SpySweeper
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: IEProtection
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: ShStatEXE
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: McAfeeUpdaterUI
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: ccApp
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: ccRegVfy
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: ccApp
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: vptray
Disables programs
The worm may disable the "winlogon.exe" process in order to trigger a system restart. Worm:Win32/Katar.A modifies following registry entries in order to disable the service of various programs:
In subkey: HKLM\SYSTEM\ControlSet003\Services\SharedAccess
Sets value: "Start"
With data: "4"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Sets value: "Start"
With data: "4"
In subkey: HKLM\SYSTEM\ControlSet001\Services\ProtectedStorage
Sets value: "Start"
With data: "4"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\AntiVirScheduler
Sets value: "Start"
With data: "4"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\AntiVirService
Sets value: "Start"
With data: "4"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\QHONLINE
Sets value: "Start"
With data: "4"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\ScanWscS
Sets value: "Start"
With data: "4"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\PcCtlCom
Sets value: "Start"
With data: "4"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\Tmntsrv
Sets value: "Start"
With data: "4"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\TmPfw
Sets value: "Start"
With data: "4"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\tmproxy
Sets value: "Start"
With data: "4"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\avast! Antivirus
Sets value: "Start"
With data: "4"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\avast! Mail Scanner
Sets value: "Start"
With data: "4"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\avast! Web Scanner
Sets value: "Start"
With data: "4"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\aswUpdSv
Sets value: "Start"
With data: "4"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\AVP
Sets value: "Start"
With data: "4"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\McAfeeFramework
Sets value: "Start"
With data: "4"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\McShield
Sets value: "Start"
With data: "4"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\McTaskManager
Sets value: "Start"
With data: "4"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SBService
Sets value: "Start"
With data: "4"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\ccEvtMgr
Sets value: "Start"
With data: "4"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\ccPwdSvc
Sets value: "Start"
With data: "4"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SavRoam
Sets value: "Start"
With data: "4"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\Symantec AntiVirus
Sets value: "Start"
With data: "4"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\DefWatch
Sets value: "Start"
With data: "4"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\ccEvtMgr
Sets value: "Start"
With data: "4"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SNDSrvc
Sets value: "Start"
With data: "4"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\ccPwdSvc
Sets value: "Start"
With data: "4"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\ccSetMgr
Sets value: "Start"
With data: "4"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SPBBCSvc
Sets value: "Start"
With data: "4"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SBService
Sets value: "Start"
With data: "4"
Sets services to auto start
Worm:Win32/Katar.A tries to modifies following registry entries to set various services as auto start.
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\ShellHWDetection
Sets value: "Start"
With data: "2"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\Schedule
Sets value: "Start"
With data: "2"
In subkey: HKLM\SYSTEM\ControlSet001\Services\TlntSvr
Sets value: "Start"
With data: "2"
In subkey: HKLM\SYSTEM\ControlSet001\Services\upnphost
Sets value: "Start"
With data: "2"
In subkey: HKLM\SYSTEM\ControlSet001\Services\srservice
Sets value: "Start"
With data: "2"
In subkey: HKLM\SYSTEM\ControlSet001\Services\mnmsrvc
Sets value: "Start"
With data: "2"
In subkey: HKLM\SYSTEM\ControlSet001\Services\RDSessMgr
Sets value: "Start"
With data: "2"
In subkey: HKLM\SYSTEM\ControlSet001\Services\RemoteRegistry
Sets value: "Start"
With data: "2"
In subkey: HKLM\SYSTEM\ControlSet001\Services\NtmsSvc
Sets value: "Start"
With data: "2"
In subkey: HKLM\SYSTEM\ControlSet001\Services\TermService
Sets value: "Start"
With data: "2"
Changes Windows settings
The worm changes registry data to disable Windows Registry Editor and to not display the Control Panel.
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "DisableRegistryTools"
With data: "1"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Sets value: "NoControlPanel"
With data: "1"
Other registry data is changed to disable the viewing of files with attributes of "hidden" and "system" and to enable the Windows autoplay feature.
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "Hidden"
With data: "0"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
Sets value: "CheckedValue"
With data: "0"
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Sets value: "NoDriveTypeAutoRun"
With data: "255"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\Schedule
Sets value: "AtTaskMaxHours"
With data: "0"
Displays pop-up messages
Worm:Win32/Katar.A may display pop-up messages displaying any one of the following messages:
"Surf the internet somewhere else"
"This site is banned"
"Don't visit this site again or else"
"Say NO to pornography"
"Get a life. Stop watching porn"
"you are not permitted to view this site"
"F*** yourself"
"You are not allowed to watch porn"
"Gotcha! A******"
"Hacker, gotcha!"
Analysis by Shawn Wang
