Worm:Win32/Scrimge.B is a worm that spreads via MSN Messenger. It also contains backdoor functionality that allows unauthorized access to the affected machine.
Installation
When executed, Worm:Win32/Scrimge.B performs the following actions on an affected machine:
-
Copies itself to %windir%\system\explorer.exe and sets this file's attributes to read-only, hidden and system. It also attempts to set the time stamp of this file to the same as that of explorer.exe. However, this action failed in our laboratory testing.
-
Creates a mutex object called "1WINDOWSMUTEX1". The worm subsequently performs checks for the presence of this mutex object. If the mutex does not exist, the worm assumes that it is no longer running and re-launches itself by executing %windir%\system\explorer.exe.
-
Modifies the registry to run itself at each Windows start:
Adds value "Windows Explorer Key"
With data: "%windir%\system\explorer.exe"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
-
Modifies the registry to store the filename of the original copy of the worm's executable:
Adds value "meltWindowsBs"
With data: "<original malware file name>"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions
-
Drops the file "%windir%\IMG-<number>.zip", where <number> is a randomly generated 4 digit number, e.g. "IMG-3293.zip". This ZIP archive contains a copy of the worm with the file name "img0794-www.photoupload.com". The worm uses this file when spreading via MSN Messenger.
-
Injects code into explorer.exe that opens the file %windir%\system\explorer.exe and keeps it open, thus preventing it from being modified or removed.
Note: <System> and %windir% refer to variable locations that are determined by the malware querying the Operating System. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32. The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; and for XP and Vista is C:\Windows.
If running on a Windows XP Service Pack 2 system, the worm further modifies the registry in order to add itself to the Windows Firewall Authorized Applications list:
Adds value:"%windir%\system\explorer.exe"
With data: "%windir%\system\explorer.exe:*:Enabled:Windows Sharing"
To subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
When the installation process is complete, the worm deletes the copy of itself that was originally executed along with the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions
Note: If the name of the user who ran the worm is "CurrentUser", the worm exits without doing anything.
Spreads via…
MSN Messenger
This worm is able to spread via MSN Messenger in two ways - either automatically as a consequence of its execution, or via the manual control of a remote attacker using the worm's backdoor functionality (see below for further detail).
The worm tries to send itself, contained in the ZIP file %windir%\IMG-<number>.zip, to contacts using MSN Messenger. Along with the file itself, it sends a message that varies according to the country locale setting of the local machine. The message is then randomly chosen from one of the following country-specific lists:
France:
hé je vais mettre cette image de nous sur mon myspace :>
le lol se rappellent quand vous aviez l'habitude d'avoir vos cheveux comme ceci
hé veux tu voir mes image de vacance??
j'ai fais pour toi ce photo album tu dois le voire :p
haha vous devriez rendre ceci votre défaut pic sur le myspace ou quelque chose :D
mes photos chaudes :D
défaut de la reproduction sonore ! regard à cette vieille image que j'ai trouvée : |
Spain, Mexico, Venezuela:
oye voy a poner esa foto de nosotros en mi myspace :->
jaja recuerda cuando tuviste el pelo asi
oye voy a agregar esa foto a mi blog ya
jaja debes poner esa foto como foto principal en tu myspace o algo :D
hola esas son las fotos
esa foto de tu y yo la voy a poner en myspace
voy a poner esa foto de nosotros en mi blog ya
oye ponga esa foto en tu myspace como la foto principal
jajaja yo me recuerdo cuando tuvistes el pelo asi
ay no ese pelo fue lo mas chistoso...q estabas pensando
Italy:
ehi metterò quest'immagine di noi sul mio myspace :>
jaja ricordo quando lei aveva i suoi capelli come questo
ehi aggiungerò quest'immagine di noi al mio weblog
jaja lei dovrebbe fare quest'il suo pic predefinito sul myspace o qualcosa :Dmetta questi fotos in suo pagina myspace
Qui sono il fotos di ci
Caricherò questa foto al mio myspace adesso
Io ricordo quando abbiamo portato questa foto
Per favore nessuno lasciare vede le nostre foto
Netherlands, Belgium:
Hey i zet deze foto van ons even op mijn myspace
lol ik kan me nog herrinneren toen je haar zoals dit had
hey ik voeg deze foto van ons ff toe op mijn weblog
haha you moet die je standaard foto maken op hyves of myspace
he heb je ooit deze foto laten zien ?
wow! moet je eens kijken welke foto ik nu gevonden heb
wil je fotos zien van mijn vakantie
Germany:
he werde ich diese Abbildung von uns auf mein myspace setzen
lol erinnern sich, an als Sie pflegten, Ihr Haar so zu haben
he werde ich diese Abbildung von uns meinem weblog hinzufügen
Haha sollten Sie dieses Ihre Rückstellung auf myspace oder etwas pic bilden:D
he ich zeige Ihnen diese Abbildung von mir überhaupt?
Wimmern! Blick auf diese alte Abbildung, die ich: fand
möchten den pics von meinen Ferien sehen?
Brazil:
hey eu fiz exame deste retrato fresco de mim em férias
Queira ver esta foto que eu fiz exame de você o outro dia?
Eu cant acredito que este retrato é você: |
Eu amo este retrato de nossos amigos :D
Eu estou indo pôr este retrato de nós sobre meu Web site
Estão aqui meus retratos confidenciais para somente nós
É este retrato realmente de você?? verificação louca do retrato ele para fora
Estas são as fotos que eu quis o mostrar:)
Você viu este? o presidente está inoperante...........
VOCÊ TEM QUE VER ESTE RETRATO DE MIM
China:
kAN BA LI XI ER DUN JIN JIANYU HOU SHI DUO ME QIAOCUI :<.
NI HE WO !!! .... QING KAN :D.
KAN WO DE ZHAOPIAN :D.
JIESHOU WO DE ZHAO PIAN :> !!.
YI ZHANG WO GEN WO PENGYOU ZUI HAO DE ZHAOPIAN :S !!.
ZHE SHI WO DE LUOZHAO :O QING BU YAO FA GEI BIEREN !!.
Every other location:
Here are my private pictures for you
I found these old school pictures... LOL :)
My friend took nice photos of me.you Should see em loL!
IS THIS REALLY YOU ??? i cant remember who sent it to me...
OMG YOU HAVE TO SEE THIS PICTURE!!!! :D
wanna see the pics from my vacation? :>
Check out my nice photo album. :D
Payload
Backdoor Functionality
The worm attempts to connect to IRC server 'www.vncsvr.com' on port 21898, join a channel and listen for commands. Using this backdoor, a remote attacker can instruct the worm to:
Note: Using this method to spread via Messenger allows the attacker to specify a different file name for the copy of the worm inside the ZIP.
Additional Information
The worm modifies the following registry entry:
Adds value: "WaitToKillServiceTimeout"
With data: "7000"
To subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control