Win32/Archivarius is a family of worms that spreads via peer to peer file sharing programs such as Limewire and eDonkey. They also install a backdoor on the system which may be used to download and execute arbitrary files.
Installation
When executed, Worm:Win32/Archivarius copies itself to the System directory. Several variants of this family have been observed to use the filename 'WinSpooler.exe'.
Other variants have been observed using the following filenames:
WinSecure.exe
ciadvs.exe
ciadvss.exe
It also drops a file to %Temp%\temp_01.exe, as well as a clean file-compression utility to <system folder>\rar.exe.
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
The first time it runs, it displays a dialog, for example:
It creates a registry entry, such as the following, to ensure that it is run on system startup:
Under key: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Adds value: "Windows Printing Driver"
With data: "WinSpooler.exe"
Other variants may use different values or data (depending on the filename used by a particular variant), for example:
Under key: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Adds value: "Windows Security Tool"
With data: “WinSecure.exe”
or
Under key: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Adds value: "Windows Printing Driver"
With data: "ciadvss.exe"
It then launches both temp_01.exe and the new copy of itself.
Spreads Via…
Peer to Peer File Sharing
Worm:Win32/Archivarius generally first copies itself to %Temp%\Setup+Patch.exe and uses rar.exe to compress this file, which is saved to %Temp%\TEMP01.RAR. It has also been observed to copy itself to %Temp%\Installer-Crack-Keygen.exe, and compress this copy to TEMP1.ZIP, or copy itself to runme.exe, and compress this copy to TEMP01.RAR.
It then checks for the presence of the following peer to peer file sharing programs on the system:
- LimeWire
- eDonkey
- Ares
- Warez P2P
If any of these are found, it makes several hundred copies of TEMP01.RAR to these programs’ shared folders. The worm uses filenames that make the copies appear to be cracked versions of various pieces of software. It may also place copies in the %UserProfile%\shared or \My Downloads directories if these are present. Examples of some of the copies’ filenames include:
- Adobe Photoshop CS3 Extended Version Full + .Crack.rar
- Anti Hacker Expert 2008 working License Key + Patch _.rar
- Cyberlink Power Director 6 Delux Edition CRACK(2).rar
- Microsoft Windows Vista Ultimate x86 crack November 2007.rar
- [CRACK ITA] Football Manager 2008.rar
It then launches the targeted file sharing programs if they are not running already, so that the files may be shared with other users.
The following shows some of the files written by one variant, Worm:Win32/Archivarius.F being made available to share via LimeWire:
The following shows the contents of one of the shared archive files written by Worm:Win32/Archivarius.F when opened:
Payload
Backdoor Functionality
Once installed, the worm executes temp_01.exe which installs itself as a backdoor on the affected system. These files are generally detected as variants of Backdoor:Win32/Archivarius.
Some variants of Backdoor:Win32/Archivarius copy themselves to the System directory, before deleting the original file and injecting code into the svchost.exe process.
The following filenames have been observed being used in the wild:
• chkdsks.exe
• chkdskss.exe
Backdoor:Win32/Archivarius modifies the registry to ensure that its copy runs at each system start:
Under key: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Adds value: NT Printing Service
With data: <filename>
This registry entry is periodically rewritten if it is removed.
Archivarius may then connect to one of a number of web servers and download a list of backdoor commands.
The following servers have been observed being used for this purpose:
• mircomassi.no-ip.org
• ciccio90000.no-ip.org
• marcus90000.whyI.org
Archivarius stores backdoor command and status information in the file <system folder>\Monitored1.dat.
Archivarius’s controller may perform a number of different actions using this backdoor, including:
- Updating Archivarius
- Downloading and executing arbitrary files
- Sending system information
- Running a proxy server on the affected system.
Earlier variants of Worm:Win32/Archivarius may instead install variants of the
Backdoor:Win32/IRCBot family. These IRCBot variants generally copy themselves to <system folder>\NTSpool.exe, inject code into the svchost.exe process, and attempt to process commands from an IRC Server at various locations (such as sendtoother.whyI.org).
Analysis by David Wood
