Worm:Win32/Slenping.AE is a worm that can spread via instant messenger programs and removable drives. It also allows a remote attacker backdoor access and control of the infected computer.
Installation
When executed, Worm:Win32/Slenping.AE copies itself to the Public user's Application Data folder as the following:
-
hex-5823-6893-6818\jutched.exe
Note that it also creates the folder "hex-5823-6893-6818" within the Application Data folder.
Worm:Win32/Slenping.AE modifies the registry to run its copy at each Windows start:
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Java Update Manager"
With data: "%AppData%\hex-5823-6893-6818\jutched.exe"
It also allows the worm to bypass the firewall by adding the following registry entry:
In subkey HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "%AppData%\hex-5823-6893-6818\jutched.exe"
with data: "%AppData%\hex-5823-6893-6818\jutched.exe:*:enabled:java update manager"
Win32/Slenping.AE creates a mutex called "l0lkn0lltr0ll" to ensure only one copy of itself runs at a time.
Spreads Via...
Instant messenger programs
Worm:Win32/Slenping.AE can be ordered to spread via the following instant messenger programs by a remote attacker using the worm's backdoor functionality (see Payload section below for additional detail):
-
Google Talk
-
MSN Messenger
-
Paltalk
-
Skype
-
XFire
-
Yahoo Messenger
When the attacker orders the worm to spread via instant messenger programs, they also provide the content of the messages to be sent. Here are some of the messages sent to contacts depending on the language of the operating system of the infected computer:
bekijk deze foto :D <malware URL>
bu resmi bakmak :D <malware URL>
guardare quest'immagine :D <malware URL>
katso tStS kuvaa :D <malware URL>
mira esta fotografía :D <malware URL>
nTzd meg a kTpet :D <malware URL>
olhar para esta foto :D <malware URL>
podfvejte se na mou fotku :D <malware URL>
pogledaj to slike :D <malware URL>
poglej to fotografijo :D <malware URL>
pozrite sa na tto fotografiu :D <malware URL>
regardez cette photo :D <malware URL>
se ps dette bildet :D <malware URL>
seen this?? :D <malware URL>
ser ps dette billede :D <malware URL>
spojrzec na to zdjecie :D <malware URL>
This is the funniest photo ever! <malware URL>
titta ps denna bild :D <malware URL>
uita-te la aceasta fotografie :D <malware URL>
Wie findest du das Foto? <malware URL>
The worm may use file names such as the following for the copy being spread:
-
DCIM.exe
-
music.exe
-
Nueva carpeta.exe
Removable drives
Worm:Win32/Slenping.AE copies itself to the following locations on removable drives:
<targeted drive>:\8585485\...exe
<targeted drive>:\8585485\..exe
<targeted drive>:\8585485\subst.exe
It may also create the following shortcut files on targeted drives when spreading:
<targeted drive>:\..s.lnk
<targeted drive>:\.s.lnk
<targeted drive>:\substs.lnk
If the user clicks on these shortcut files, it runs one of the worm copies in the removable drive.
Payload
Allows backdoor access and control
Worm:Win32/Slenping.AE connects to the remote server "msnsolution.nicaze.net", usually on TCP port 1866, from which it accepts backdoor commands. These include spreading via instant messenger programs and downloading and executing arbitrary files.
Analysis by Marianne Mallen