Worm:Win32/Usbalex.A is a worm that spreads via mapped drives and may gather system information on the compromised computer and send it to a remote attacker.
Installation
When executed, Win32/Usbalex.A copies itself to the following folders if the folder exists (i.e. 'Microsoft Office' folder) with filenames like the following:
C:\RECYCLER\lsass.exe
C:\RECYCLER\MsInfo\MsInfo.exe
%ProgramFiles%\Microsoft Office\OFFICE11\MSTORDB0.EXE
%ProgramFiles%\Microsoft Office\OFFICE11\MSTORDB.EXE
%TEMP%\Temp.exe
%TEMP%\FolderData.exe
%USERPROFILE%\csrss.exe
%USERPROFILE%\winlogon.exe
%USERPROFILE%\My Documents\My Data.exe
%windir%\System\Regedit.exe
%windir%\System\FolderSys.exe
%windir%\System\WinAgent.exe
When executed, the worm creates the following registry import files:
%TEMP%\services.reg
%TEMP%\tempservices.reg
The registry import files are used by the worm to create services named "MsInfo Service" and "Temp Services" to execute dropped copies of the worm at Windows start.
Adds value: ImagePath
With data: "C:\RECYCLER\MsInfo\MsInfo.exe"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\MsInfo
Adds value: ImagePath
With data: "%Temp%\Temp.exe"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\TempServices
Win32/Usbalex.A creates other registry data to execute its dropped copies whenever Windows starts.
Adds value: "Default"
With data: "%USERPROFILE%\csrss.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Adds value: "load"
With data: "C:\RECYCLER\lsass.exe"
To subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
Adds value: "System "
With data: "%USERPROFILE%\csrss.exe”
To subkey: HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon
Spreads Via…
Logical or Mapped Drives
Worm:Win32/Usbalex.A copies itself to logical or mapped drives as the following:
A:\Data.exe
D:\RECYCLED.EXE
E:\Private\My Girls.exe
F:\Data Documents\Documents.exe
G:\My Picture\Pictures.exe
H:\Images\Girls.exe
I:\Application.exe
J:\My CV.exe
Worm:Win32/Usbalex.A then writes an autorun configuration file named 'd:\autorun.inf' pointing to 'd:\recycled.exe'. When the removable or networked drive is accessed from another machine supporting the Autorun feature, the virus is launched automatically.
Payload
Deletes Files
Worm:Win32/Usbalex.A deletes the following files if they exist:
C:\Data.exe
C:\My Girls.exe
C:\My CV.exe
C:\Documents.exe
C:\Pictures.exe
C:\Application.exe
C:\Girls.exe
C:\My Data.exe
C:\FolderData.exe
Sends Data
Worm:Win32/Usbalex.A may gather system information on the compromised computer and send it to a remote attacker via e-mail.
Additional Information
Logs Execution Date
Worm:Win32/Usbalex.A logs the date of execution to the following file:
%USERPROFILE%\Local Settings\Temp\settime.tme
Example content of 'settime.tme':
10/9/2008,10/9/2008
Analysis by Wei Li
