Worm:Win32/SillyShareCopy.E is a worm that propagates by dropping several copies of itself to all drives found in the system.
Installation
Worm:Win32/SillyShareCopy.E creates the following additional files in the system:
- %Start Menu%\Programs\Startup\Adobe Online.com - copy of itself
- %Start Menu%\Programs\Startup\Adobe update.com - copy of itself
- %windir%\Thumbs .db - component file
- <Malware Path>\Autoexec.bat - batch file that displays the following message:
where <Malware Path> is the directory where the malware was executed.
It also drops several copies of itself in the root folder based on folder names found on the drive using the following format:
<Folder Name> .scr
For example:
C:\Program Files .scr
C:\Documents and Settings .scr
Worm:Win32/SillyShareCopy.E also uses a folder icon and launches explorer when it is double-clicked. This action aims to fool users into thinking that the executed file is a real folder. To do this, SillyShareCopy.E changes the following registry entries:
Modifies value: "@"
From data: "Screen Saver"
To data: "File Folder"
To subkey: HKLM\SOFTWARE\Classes\scrfile
Modifies value: "@"
From data: ""%1" /S"
To data: "%1"
To subkey: HKLM\SOFTWARE\Classes\scrfile\shell\open\command
Spreads Via...
Logical Drives
Upon execution, Worm:Win32/SillyShareCopy.E drops the following hidden files in all drives from C: to Z:
- Thumbs.com - copy of itself
- Thumbs .db - component file
- Autorun.inf - autorun configuration file
The autorun configuration file enables this worm to automatically execute if the drive is opened.
Payload
Modifies System Settings
Worm:Win32/SillyShareCopy.E modifies the system registry so that hidden files cannot be viewed by the user:
Adds value: "CheckedValue"
With data: "0"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWAL
Adds value: "UncheckedValue"
With data: "1"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt
It also adds the following registry keys:
HKLM\SOFTWARE\Classes\scrfile\InfoTip
HKLM\SOFTWARE\Classes\scrfile\NeverShowExt
HKLM\SOFTWARE\Classes\scrfile\TileInfo
Displays Message
Worm:Win32/SillyShareCopy.E displays the following message when the user logs on:
It does this by adding the following registry entries:
Adds value: "LegalNoticeCaption"
To data: "81u3f4nt45y - 24.01.2007 - Surabaya"
Adds value: "LegalNoticeText"
To data: "Surabaya in my birthday
Don't kill me, i'm just send message from your computer
Terima kasih telah menemaniku walaupun hanya sesaat, tapi bagiku sangat berarti
Maafkan jika kebahagiaan yang kuminta adalah teman sepanjang hidupku
Seharusnya aku mengerti bahwa keberadaanku bukanlah disisimu, hanyalah lamunan dalam sesal
Untuk kekasih yang tak kan pernah kumiliki 3r1k1m0"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Analysis by Elda Dimakiling
