Follow:

 

Worm:Win32/Darksnow.A


Worm:Win32/DarkSnow.A is a worm that copies itself to attached drives and infects files stored both locally and on attached drives. Some variants may terminate security related applications.


What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as the Microsoft Safety Scanner (http://go.microsoft.com/fwlink/?LinkId=212742). For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.
 
 
Recovering from recurring infections on a network
The following additional steps may need to be taken to completely remove this threat from an infected network, and to stop infections from recurring from this and other similar types of network-spreading malware:
 
  1. Ensure that an antivirus product is installed on ALL machines connected to the network that can access or host shares  (see above for further detail).
  2. Ensure that all available network shares are scanned with an up-to-date antivirus product.
  3. Restrict permissions as appropriate for network shares on your network. For more information on simple access control, please see: http://technet.microsoft.com/library/bb456977.aspx.
  4. Remove any unnecessary network shares or mapped drives.
 
Note: Additionally it may be necessary to temporarily change the permission on network shares to read-only until the disinfection process is complete.

Threat behavior

Worm:Win32/DarkSnow.A is a worm that copies itself to attached drives and infects files stored both locally and on attached drives. Some variants may terminate security related applications.
Installation
This worm is installed when a user opens files infected by Virus:O97M/DarkSnow.A or runs files infected with Virus:Win32/DarkSnow.A. When opening a Virus:O97M/DarkSnow.A infected Excel workbook and the macro executes, it creates a new workbook into the XLSTART folder as 'book1.xls' and then infects the newly created workbook and workbooks opened in Excel. The macro contains a base64 encoded copy of Worm:Win32/DarkSnow.A that is dropped when the macro is allowed to execute.
 
When opening a Virus:O97M/DarkSnow.A infected Word document and the macro executes, it infects the global template 'normal.dot'. Once the global template is infected, it infects newly created documents in Word. Both forms of the macro virus contain a base64 encoded copy of Worm:Win32/DarkSnow.A that is dropped and run as mentioned below.
 
When a Virus:Win32/DarkSnow.A infected file is run, it drops a copy of Worm:Win32/DarkSnow.A as the following:
 
%temp%\bk_1.tmp - Worm:Win32/DarkSnow.A
 
The dropped worm copy is executed and it creates a mutex "blackicemutex". It then copies itself as the following files:
 
<system folder>\blackice.exe - Worm:Win32/DarkSnow.A
<system folder>\kernel.dll - Worm:Win32/DarkSnow.A
 
The file properties of 'blackice.exe' are set to system, hidden and read-only. The registry is modified to run the dropped copy 'blackice.exe' at Windows start.
 
Adds value: "run"
With data: "<system folder>\blackice.exe"
To subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
 
Modifies value: "Shell"
With data: "Explorer <system folder>\blackice.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
 
The Windows configuration files 'system.ini' and 'win.ini' are also modified to execute the worm copy at Windows start. The worm makes the following change to '%windir%\win.ini' within the "[load]" section:
run=<system folder>\blackice.exe
 
The worm makes the following change to '%windir%\system.ini' within the "[boot]" section:
shell=explorer.exe <system folder>\blackice.exe
 
Note: The configuration files 'system.ini' and 'win.ini' contain driver load parameters and other Windows configurations - they are primarily used by Windows 9x (95/98/Me) and in some cases Windows XP.
Spreads Via…
Removable Drives
A thread is created that copies Worm:Win32/DarkSnow.A to inserted USB drives as the currently running process, usually "blackice.exe" but in some cases "bk_1.tmp". The worm then writes an AutoRun configuration file named 'autorun.inf' pointing to the worm copy. When the removable or networked drive is accessed from another machine supporting the AutoRun feature, the malware is launched automatically.
 
File Infection
Another thread is created to search all drives and attempt to infect files with extension .EXE, .DOC and .XLS. When an infected executable is run, it drops and installs a copy of the worm as mentioned above. When infecting .DOC and .XLS files, Worm:Win32/DarkSnow.A first checks if the string '<!!blackice>' is present. If the string is not found, the worm then infects the found Microsoft Office format files.
Payload
Terminates Applications
Some variants of this threat may terminate security applications containing strings related to security applications as in the following examples:
 
360SAFE
ANYVIEW
AVP
EGHOST
IPARMOR
KASPERSKY
KAV32
KAVPFW
KAVSVCUI
KAVSVC
KVMONXP
KVSRVXP
KVFW
KVWSC
KVXP
KWATCHUI
NAVAPSVC
NAVW32
NMAIN
NOD32
PFW
RAV.EXE
RAVMOND
RAVMON
RAVTIMER
RISING
SCAN32
THGUARD
TROJANHUNTER
 
Collects and Sends Information to Remote Sites
The worm gathers information about the infected computer such as
  • computer MAC address
  • hard drive volume serial number
  • hostname
The worm may download a file 'url.txt' from one of the following predefined remote websites:
fmtwld.zj.com
fmtwld.vicp.net
 
The file is stored temporarily as '<system folder>\blackice.ini' and may contain a list of other remote websites. The collected data may then be sent in the following format to the remote sites:
 
<site>?mac=<mac address>&serial=<volume serial number>&hostname=<localhostname>&version=1.1
 
The temporary file '<system folder>\blackice.ini' is later deleted.
 
Lowers Macro Security
Worm:Win32/DarkSnow.A lowers Microsoft Word and Excel macro security by modifying registry data.
 
Modifies value: "Level"
With data: "1"
In subkeys:
HKCU\Software\Microsoft\Office\<version>\Excel\Security
HKCU\Software\Microsoft\Office\<version>\Word\Security
 
Analysis by Dan Kurc

Symptoms

System Changes
The following system changes may indicate the presence of this malware:
  • The presence of the following files with 'hidden' and 'system' file attributes:
    <system folder>\blackice.exe
    <system folder>\kernel.dll
  • The presence of the following registry modifications:
    Value: "run"
    With data: "<system folder>\blackice.exe"
    In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
    Value: "Shell"
    With data: "Explorer <system folder>\blackice.exe"
    In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
  • The presence of the following change to the Windows configuration file '%windir%\win.ini' within the section "[load]":
    run=<system folder>\blackice.exe
  • The presence of the following change to the Windows configuration file '%windir%\system.ini' within the section "[boot]":
    shell=explorer.exe <system folder>\blackice.exe

Prevention


Alert level: Severe
First detected by definition: 1.57.1403.0
Latest detected by definition: 1.205.797.0 and higher
First detected on: May 15, 2009
This entry was first published on: May 16, 2009
This entry was updated on: Apr 17, 2012

This threat is also detected as:
  • Worm:Win32/Tufik.F (other)
  • Win32/Whiteice.worm.35377 (AhnLab)
  • Win32/Tufik.A (AVG)
  • Backdoor.Bot.90971 (BitDefender)
  • WIN.WORM.Virus (Dr.Web)
  • Worm.Win32.WhiteIce.c (Kaspersky)
  • W32/Tufik.worm.gen (McAfee)
  • W32/Packed_FSG.D (Norman)
  • Mal/TinyDL-T (other)