Trojan:Win32/Womcodi.gen is a trojan that attempts to spread other malware via peer to peer file sharing.
Installation
When executed, Trojan:Win32/Womcodi.gen copies itself to %UserProfile%\svchost.exe. It also creates the following registry entry to ensure that it is run on system startup:
Under key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Adds value: "Host Process"
With data: “%UserProfile\svchost.exe”
It then launches the new copy.
Note - %UserProfile% refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the %UserProfile% directory is C:\Documents and Settings\<username>.
Payload
Spreads Malware via Peer to Peer File Sharing
Once installed, Trojan:Win32/Womcodi.gen drops between ten thousand and forty thousand files to the '%UserProfile%\!' directory. For some variants, these are fake Windows Media or Quicktime files, which at the time of publication were detected as
TrojanDownloader:ASX/Wimad.F.
Examples of filenames used for these include:
air-chris brown jordin sparks.wma
amateur webcam sexy brunette.wma
american pie 1.wma
back in black ac dc.wma
bad medicine bo.wma
be kind rewind[2008]dvdrip-axxo.avi
pirates of the caribbean am ende der welt ts ld german xvid internal-pleaders rar.avi
futurama the beast with a billion backs dvdrip xvid-hookah.avi
star.wars.complete.720p.hdtv.x264.internal-hv.avi
= 28 weeks later = ( 2007 ).avi
If Limewire or Frostwire are present on the affected system, Win32/Womcodi attempts to modify their configuration files so that file sharing is enabled, the %UserProfile%\! Directory is shared, and the shared files are not displayed to the local user. The following files may be modified:
%UserProfile%\Application Settings\limewire\limewire.props
%UserProfile%\Application Settings\limewire\questions.props
%UserProfile%\Application Settings\frostwire\frostwire.props
%UserProfile%\Application Settings\frostwire\questions.props
Win32/Womcodi periodically checks whether Limewire and Frostwire are running and launches them if not.
Should a user attempt to download and play one of these fake media files, they are prompted to download a codec to play the files. Should they accept the download, this results in more malware being downloaded to their system and executed. Files have been observed being downloaded from the following locations:
missing-codecs.com
missing-codecs.net
missing-codecs.org
Other variants drop zip files, which use the filenames of various games and utilities, but instead contain malware. Examples of filenames used included:
sandboxie 3.24.zip
Sansa Media Converter 1.3.zip
Santa's Favourite Screensaver for Windows.zip
Sarah Xtreme Pro.v4.0.4966.zip
SATELLITE TV for PC 2008 ELITE EDITION [Retail No Keygen Required].zip
Further variants drop HTML files, which, when opened in a web browser, download an executable file from a specified server. One variant was observed to download a variant of the Win32/Tonick family from 'your-ebooks.net'. Examples of filenames used include:
The Sandman Issues 01 thru 20.htm
the Secret Life of Bees - Sue Monk Kidd.htm
The Shadow Strikes Comics[Complete].htm
The Skull Beneath the Skin - by PD James - BBC Radio Drama - cheops.htm
The Slide - (1966) [BBC Radio (MP3 32kbps)].htm
Analysis by David Wood
