Worm:Win32/Reatconk.A

Worm:Win32/Reatconk.A is a worm that spreads via network drives, and may contain backdoor functionality that allows unauthorized access to an affected computer.

Installation

Worm:Win32/Reatconk.A may create the following files on the affected user's computer with 'hidden', 'read-only' and 'system' attributes:

• Under the %AppData% folder:
  • Windows.exe
  • <two part derived name>.exe
• Under any drive found on the computer:
  • Windows.exe
  • Autorun.inf
  • fn.db
  • cscom.omf
  • <two part derived name>.exe

where <two part derived name> refers to a pseudo-random name generated as follows.

• The first is chosen at random from the following:
  
  • COM
  • Cmd
  • Disk
  • Drive
  • Driver
  • File
  • Folder
  • Harddisk
  • Harddrive
  • Installer
  • Internet
  • MMC
  • MSC
  • MotherBoard
  • Network
  • Printer
  • Registry
  • Server
  • Share
  • Shell
  • Task
  • Tsk
  • Video
  • prnt
  • reg
  • srv
  • system
    
• The second part of the name is chosen at random from the following:
  
  • Angel
  • Deamon
  • Driver
  • Helper
  • Installer
  • Manger
  • Mnger
  • Monitor
  • Reader
  • Server
  • Service
  • Spooler
  • Task
  • Updater
  • Writer

Once the file name is compiled from the parts listed above, a ".exe" extension is added to the file name. The result can be seen in the following examples:

• DriverHelper.exe
• InstallerSpooloer.exe

 

Spreads via...

Removable drives

Worm:Win32/Reatconk.A copies itself to all removable, fixed and mapped network drives as autorun.inf, and copies itself to the root of all drives as:

• autorun.inf, and
• Windows.exe

Such autorun.inf files contain execution instructions for the operating system, so that when the removable drive is accessed from another computer supporting the Autorun feature, the malware is launched automatically. This is particularly common malware behavior, generally utilized in order to spread malware from computer to computer.

It should also be noted that autorun.inf files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation CDs.

Peer-to-Peer file sharing

Worm:Win32/Reatconk.A may attempt to spread via Peer-to-Peer (P2P) file sharing by copying files to the shared folders of particular P2P file sharing applications. In the wild, we have observed the worm placing "Windows.exe" in the following directories:

• C:\Documents and Settings\<username>\My Documents\LimeWire\Shared\
• C:\Documents and Settings\<username>\My Documents\FrostWire\Shared\
• C:\Document and Settings\<username>\Shared\
• C:\Document and Settings\<username>\My Documents\Shareaza Downloads\
• C:\Documents and Settings\<username>\My Documents\FrostWire\Saved\

Payload

Backdoor functionality

Worm:Win32/Reatconk.A allows unauthorized control of an affected computer. An attacker can perform a number of different actions on an affected computer using this worm, including but not limited to, the following actions:

• Download and execute arbitrary files
• Upload files
• Spread to other computers using various methods of propagation, including instant messenger applications
• Log keystrokes or steal sensitive data
• Modify system settings
• Run or terminate applications
• Delete files

Additional information

Worm:Win32/Reatconk.A is written using AutoIT script.

Analysis by Michael Johnson