Worm:Win32/Verst.B is a worm that spreads via network drives and downloads arbitrary files. This worm may also attempt to steal sensitive information such as passwords.
Installation
Worm:Win32/Verst.B has been distributed as a file that uses the Windows Explorer file icon. When executed, the worm opens an Explorer window in order to mask its actions from the affected user.
When executed, Worm:Win32/Verst.B copies itself to the c:\documents and settings\all users\application data\srtserv directory with the same file name as the worm file that was originally executed.
The malware modifies the following registry entries to ensure that its copy executes at each Windows start:
Adds value: "srtserv"
With data: "c:\documents and settings\all users\application data\srtserv\<malware file>.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
The malware creates the following files on an affected computer:
The dll provides stealth to the worm. It hooks the following system APIs to redirect to its own code in order to hide its presence on the affected computer:
-
ZwQueryDirectoryFile
-
ZwQuerySystemInformation
-
ZwOpenProcess
Spreads via…
Network drives
Worm:Win32/Verst.B spreads via network drives. It copies itself to the root of mapped network drives as
subst.exe. The worm then writes an Autorun configuration file named "
autorun.inf" pointing to the worm copy. When the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically. The
autorun.inf file is detected as
Worm:Win32/Verst!inf.
Payload
Downloads arbitrary files
Worm:Win32/Verst.B may contact the following remote hosts using port 80:
- 0fce94d8.x10hosting.com
- 27342e3c.110mb.com
- 3d6978c3.exofire.net
- 3eadcde5.hostei.com
- 46d6266b.awardspace.com
- 5b7b7611.h18.ru
- 8c6171e0.freehostia.com
- 8df8eeb9.orgfree.com
- eda.ru
- f223f4de.eu.pn
- kubusse.ru
- psynergi.dk
- s-elisa.ru
- vesterm.freehostia.com
The worm then downloads the file setx.txt to the c:\documents and settings\all users\application data\srtserv directory. At the time of publishing, this file contained instructions for Verst.B to download additional files from the elefant.ru domain, including the following:
- article2.doc - detected as Worm:Win32/Verst.B
- idata1.zip - a copy of Multi Password Recover tool v1.2.6 by Alexandr Demchenko. This tool is used to find and recover passwords for popular applications
- idata2.zip - an encoded public key (probably used to verify the tool)
Modifies system settings
Worm:Win32/Verst.B disables safeboot on the affected computer. On relevant versions of Windows, safeboot is used to load a minimal set of drivers, allowing users to start Windows in a way that allows them to modify the registry or load or remove specified drivers.
Additional information
Worm:Win32/Verst.B creates a mutex named "KAENA_HOOK" to ensure that multiple instances of the worm do not run simultaneously.
It also creates the following registry entry in order to store information for its own use:
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\MSrtn
Adds value: "value1"
With data: "malware.dat.exe"
Analysis by Jaime Wong