Worm:Win32/Slenping.Y is a worm that can spread via MSN Messenger, peer-to-peer (P2P) applications, and external USB drives. The worm also contains backdoor functionality that allows unauthorized access to an affected computer.
Installation
When run, Worm:Win32/Slenping.Y drops a copy of itself as the following hidden file:
C:\RECYCLER\S-1-5-21-<random string>\yv8g67.exe
The registry is modified to run the worm copy at each Windows start.
Adds value: "Taskman"
With data: "<path of worm>\yv8g67.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Spreads Via…
MSN Messenger
Worm:Win32/Slenping.Y can be ordered to spread via Messenger by a remote attacker using the worm's backdoor functionality (see Payload below for additional detail). When the attacker orders the worm to spread via MSN Messenger, the message content is then provided by the remote attacker.
P2P applications
Worm:Win32/Slenping.Y can spread via peer-to-peer file sharing applications such as LimeWire, eMule, Kazaa, Shareaza, iMesh and BearShare. The worm is copied to the common share folder for the associated applications to entice other share network users to download the worm.
USB drives
Worm:Win32/Slenping.Y can spread via a USB drive by copying itself to the drive as "Docs\print.exe". The worm then writes an Autorun configuration file named "autorun.inf" pointing to the worm copy. When the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically.
Payload
Remote access and control
Worm:Win32/Slenping.Y connects to a remote server, commonly using UDP port 442, from which it accepts backdoor commands from a remote attacker. Commands include the spreading the worm via MSN Messenger and to download and execute arbitrary files. Worm:Win32/Slenping.Y was observed to connect to the following remote servers:
f5v9w.com
e7j0ht.cn
mp1r3n.ru
Additional Information
Win32/Slenping is capable of hiding itself so its process is not visible via Windows Task Manager.
Analysis by Jireh Sanico
