Threat behavior
Worm:Win32/Refroso.A is a worm that stops Windows Security Center and attempts to spread to other computers across a network by exploiting a vulnerability in Windows.
Installation
When run, this worm copies itself to the Windows folder as "usb_drv.exe". The registry is modified to run the dropped worm copy at each Windows start.
Adds value: "Universal Bus device"
With data: "usb_drv.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
The worm terminates if it determines if any of the following security tools are being used:
- Wireshark Network Analyzer
- Process Monitor
- File Monitor
- Registry Monitor
Spreads Via…
Networked computers
Worm:Win32/Refroso.A attempts to locate vulnerable networked computers that have not applied
Security Bulletin MS08-067. The worm exploits the target computer on the network in order to copy itself to the vulnerable machine.
Mapped drives
The worm copies itself to mapped drives as "usb_drv.exe". The worm then writes an autorun configuration file named "autorun.inf" pointing to the worm copy. When the drive is accessed from a machine supporting the Autorun feature, the worm is launched automatically.
Payload
Stops Windows Security Center service
The worm drops a batch script file in the root of the local drive as "x.bat" and runs the dropped script. The script attempts to stop Windows Security Center using the Windows utility "NET.EXE" as in the following example:
net stop "Security Center"
Downloads arbitrary files
The worm attempts to get the IP address of the local machine by connecting to the following servers:
www.whatismyip.com
checkip.dyndns.org
The trojan then sends machine information from the infected machine to the remote server "virtual-rejects.com". The worm may download executable updates from the remote server.
Analysis by Jaime Wong
Prevention
