Installation
Typically, this threat gets onto your
PC from a
drive-by download attack. It can also be installed when you visit a compromised webpage or use an infected removable drive.
This threat also receives commands from a remote server to run in your PC.
This threat can also drop a copy of itself in the following directory in a removable drive. The dropped file should have the Read-Only, Hidden, and System file attribute when it is dropped in removable drives. System attributes are hidden in GUIs but can be seen in command-line tools.
The following component files are also added:
- %Removable drive%\autorun.inf
- %Removable drive%\USB\Data\Desktop.ini
- %Removable drive%\USB\Desktop.ini
Installation logic
This threat also drops a copy of itself in
> %APPDATA%\Microsoft\Windows\~temp~<*>iN.exe
..where <*> can be any of the following options, as you can see each construct needs a specific parameter to execute:
- Filename matches this regular expression "^~temp~[0-9]{5}iN\.exe" executed with “in” parameter (installer mode)
For example: ~temp~12345iN.exe in
- Filename matches this regular expression "^~temp~[0-9]{10}iN\.exe" executed with “win” parameter (injector mode)
For example: ~temp~1234567890iN.exe win
in some cases it can have something like the one below. It is used to set services and hide folders.
- Filename matches this regular expression ".*\\hsperfdata_temp\\~temp~clear~[0-9]{5}\.exe" executed with “cleartemp” parameter
For example: ~temp~clear~32165.exe cleartemp
This threat also creates the following registry entries so that it runs each time you start your PC.
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
With data: 'SecurityUpdate<5 random numbers>'
Sets value: "%APPDATA%\Microsoft\Windows\~temp~<5 random numbers>iN.exe" in"
Earlier versions of this threat can create the auto start registry keys below:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
With data: Internet Security
Sets value: <malware file>
Spreads through...
Removable drives
The worm typically speads through an infected removable drive which might have been infected during a drive-by download attack from visiting a compromised website.
Payload
Drops other malware
These files are dropped in the "
%TEMP%\~DF%nnn%KB.tmp.exe" directory where
nnn is any number from 10000 to 99999
Connects to a remote host to downloads and run files
This threat attempts to connect to the following server and ports to download and run files:
-
connektme.hopto.org:7539
-
connektme.no-ip.org:6460
-
drwebstatic.hopto.org:8888
-
drwebstatic.myvnc.com:9999
-
easyconnect.no-ip.org:4444
-
easyconnect.zapto.org:3333
-
gserverhost.myftp.org:5555
-
gserverhost.no-ip.biz:6666
-
hellointra.myftp.org:3440
-
hellointra.no-ip.org:3460
-
namesvrone.myftp.org:8989
-
namesvrtwo.serveftp.com:8888
-
sap123.no-ip.biz:3480
-
sap123.servehttp.com:5460
-
staticone.hopto.org:9898
-
statictwo.myftp.org:9999
Deletes other files
This worm also checks for the following files and deletes them when found.
- %Removable drive%\System\AutoDrive.exe
- %Removable drive%\Passwords.exe
The files can be old versions of the worm or another version from rival malware group distributing the same type of malware.
Disguises itself as a legitimate tool to evade detection
Some variants of this worm also use "Microsoft Malware Removal Tool" as its window title evade antivirus process inspection.
It can also drop a copy of itself and disguise as "Windows Defender" in the following directory:
It also creates the following shortcut pointing to the malware:
- %startupcommon%\Windows Defender.lnk
- %startup%\Windows Defender.lnk
For example:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
With data: Windows Defender
Sets value: %ProgramFiles%\Windows Defender\MSASCui.exe
Note: To confirm whether you are using a legitimate version of "Microsoft Malware Removal Tool" and not a copy of this threat, the Microsoft tool has a user interface, while the malware do not have that window. See http://www.microsoft.com/en-gb/security/pc-security/malware-removal.aspx for details.
This worm can also disguise as Internet Explorer and is installed in any of the following files:
- %programfilesdir%\Internet Explorer\iexplore.dll
- %programfilesdir%\Internet Explorer\iexplore.exe
- %programfilesdir%\Internet Explorer\ieinstal.dll
Modifies System Security Settings
It also modifies the following registry entries to hide its file components.
- In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
With data: Hidden
Sets value: 2
- In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
With data: HideFileExt
Sets value: 1
- In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
With data: ShowSuperHidden
Sets value: 0
- In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt
With data: DefaultValue
Sets value: 1
- In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt
With data: CheckedValue
Sets value: 1
- In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN
With data: CheckedValue
Sets value: 2
- In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN
With data: DefaultValue
Sets value: 2
- In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
With data: CheckedValue
Sets value: 1
- In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
With data: DefaultValue
Sets value: 2
- In subkey: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
With data: CheckedValue
Sets value: 0
- In subkey: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
With data: DefaultValuec
Sets value: 0
- In subkey: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
With data: UncheckedValue
Sets value: 0
Additional information
This threat also does system checks and terminates any of the following processes to evade detection.
- Registry checks - Checks system security processes with the following titles:
- Window Title: WhatChanged
Window Class: #32770
Window Text: LOCAL MACHINE
- Window Title: Blue Project Software SysTracer
Window Text: Take snapshot
- Window Title: SpyMe Tools
Window Text: Scan
- Window Title: Regshot
Window Class: #32770
Window Text: 1st shot
- Window Title: Process Monitor
Window Class: PROCMON_WINDOW_CLASS
- Window Title: Autoruns
Window Class: Autoruns
- Process checks
- Window Title: Process Monitor
Window Class: PROCMON_WINDOW_CLASS
- Window Class: Class_PLMain
- Window Class: PROCEXPL
- Window Class: ProcessHacker
- Window Class: AnVirMainFrame
- Window Title: System Explorer
Window Class: TMainForm.UnicodeClass
- Window Title: Registry Editor
Window Class: RegEdit_RegEdit
- Virtual Machines - Checks the following registry keys in virtual machines:
- HKLM\SOFTWARE\Microsoft\Hyper-V
- HKLM\HARDWARE\ACPI\DSDT\Xen
- HKLM\HARDWARE\ACPI\FADT\Xen
- HKLM\HARDWARE\ACPI\RSDT\Xen
- HKLM\HARDWARE\ACPI\FADT\VBOX__
- HKLM\HARDWARE\ACPI\RSDT\VBOX__
- HKLM, HARDWARE\ACPI\DSDT\VBOX__
- HKLM\HARDWARE\DEVICEMAP\Scsi
- Contains any of the following
- VMware
- Virtual IDE
- Virtual HD
- Virtual Machine,
- VBOX HARDDISK
- HKLM\SOFTWARE\VMware`, Inc.
- HKLM\SYSTEM\CurrentControlSet\services\VBoxService
- %programfilesDir%\Oracle\VirtualBox
- %programfilesDir%\VMware
