Tuesday, July 8, 2008

WORM_VB.EFU

Overview
This detection is for a worm which spreads by copying itself to network shared drives. It also has the ability to terminate security applications.
Characteristics
When the worm is executed, it creates a copy of itself using the following filenames:
C:\BootEx.exe C:\Log.exe C:\WINDOWS\ErrorReport.exe C:\WINDOWS\MonitorMission.run C:\WINDOWS\MonitorSetup.exe C:\WINDOWS\regedif.exe C:\WINDOWS\SystemMonitor.exe C:\WINDOWS\Win System.exe C:\WINDOWS\windows.exe C:\WINDOWS\WinSystem C:\WINDOWS\WinSystem.exe C:\WINDOWS\WinSystem32.exe C:\WINDOWS\SYSTEM\mscomfig.exe C:\WINDOWS\SYSTEM\msiexece.exe C:\WINDOWS\SYSTEM\rundlI.exe C:\WINDOWS\SYSTEM\WindowsUpadate.exe C:\WINDOWS\SYSTEM\msidlI.exe C:\WINDOWS\SYSTEM\msiexee.exe C:\WINDOWS\SYSTEM\regedif32.exe C:\WINDOWS\SYSTEM\SCCONFIG.exe C:\WINDOWS\SYSTEM\WindowsProtection.exe C:\WINDOWS\SYSTEM\winlocon.exe C:\WINDOWS\SYSTEM\wpa.bdlx D:\BootEx.exe D:\help.exe D:\materi.exe D:\SwapDrive.exe
The following files are also created:
C:\WINDOWS\SYSTEM\oemlogo.bmp C:\WINDOWS\SYSTEM\oeminfo.ini

It also drops a log.txt on the desktop which contains the strings 'no error found'.
The following registry keys are created :
HKEY_CURRENT_USER\Software\KyrentSoft HKEY_CLASSES_ROOT\*\shell\Scan for Virus\Command HKEY_CLASSES_ROOT\.bin "Default" = cfgFile HKEY_CLASSES_ROOT\.cfg "(Default)" = cfgFile HKEY_CLASSES_ROOT\.cvd "(Default)" = cfgFile HKEY_CLASSES_ROOT\.dat "(Default)" = cfgFile HKEY_CLASSES_ROOT\.exed "(Default)" = exedfile HKEY_CLASSES_ROOT\.run "(Default)" = exefile HKEY_CLASSES_ROOT\cfgfile "NeverShowExt" HKEY_CLASSES_ROOT\cfgfile\shell\Open\command "(Default)" = c:\windows\windows.exe HKEY_CLASSES_ROOT\excfile "NeverShowExt" HKEY_CLASSES_ROOT\excfile\DefaultIcon "(Default)" = %SystemRoot%\System32\shell32.dll,3 m 3 2 \ s h e l l 3 2 . d l l , 3 HKEY_CLASSES_ROOT\exedfile\DefaultIcon "(Default)" = C:\windows\windows.exe i n d o w s . e x e HKEY_CLASSES_ROOT\Folder\shell\Scan for Virus\Command "(Default)" = C:\windows\MonitorMission.run HKEY_CLASSES_ROOT\htmlfile "NeverShowExt" HKEY_CLASSES_ROOT\Folder\shell\Search\Command "(Default)" = C:\windows\MonitorMission.run HKEY_CLASSES_ROOT\Word.Document.8 "NeverShowExt" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run " SysMonitor" = C:\windows\WinSystem.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "explores" = C:\BootEx.exe HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "Hidden" = 0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "HideFileExt" = 1 HKEY_CLASSES_ROOT\Access.Application.9 "(Default)" = %SystemRoot%\System32\shell32.dll,3 m 3 2 \ s h e l l 3 2 . d l l , 3 HKEY_CLASSES_ROOT\dbfile "(Default)" = %SystemRoot%\System32\shell32.dll,3 m 3 2 \ s h e l l 3 2 . d l l , 3 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL "RegPath" = Software\Microsoft\Windows\CurrentVersions\Explorer\Advanced HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt "RegPath" = Software\Microsoft\Windows\CurrentVersions\Explorer\Advanced
The worm minimises applications which contain the following window titles:
Updatex Updatingx Upgradex p.c.m.a.v system restore kill process Task Manager Warning Confirm Value Delete Confirm Key Delete Edit String process xp Process View Process Control Process Explorer process Patrol hijack raypc
Symptoms
Symptoms -
Presence of the mentioned files. Presence of the mentioned registry entries.
Method of Infection
Method of Infection -
The worm spreads by trying to copy itself to local & mapped drives.
Removal -