WORM_UTOTI.VRU

This worm arrives via removable drives. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system.

Arrival Details

This worm arrives via removable drives.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following files:

• C:\Google\Autoit3.exe
• C:\Google\Google.lnk
• C:\Google\Windowsupdate.lnk
• C:\Google\GoogleUpdate.lnk
• %User Startup%\GoogleUpdate.lnk
• %User Startup%\WindowsUpdate.lnk
• {removable drive letter}:\Hot.lnk
• {removable drive letter}:\Movies.lnk
• {removable drive letter}:\My Games.lnk
• {removable drive letter}:\My Pictuers.lnk
• {removable drive letter}:\My Videos.lnk

(Note: %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, and C:\Documents and Settings\{User name}\Start Menu\Programs\Startup.)

It creates the following folders with attributes set to System and Hidden to prevent users from discovering and removing its components:

• C:\Google

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• googleupdate

Autostart Technique

This worm creates the following registry entries to enable automatic execution of dropped component at every system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
Windows Update = "C:\Google\Windowsupdate.lnk"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Windows Update = "C:\Google\Windowsupdate.lnk"

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
JavaUpdate = "C:\Google\GoogleUpdate.lnk"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
AdopeUpdate = "C:\Google\GoogleUpdate.lnk"

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
NewJavaInstall = "C:\Google\AutoIt3.exe /AutoIt3ExecuteScript C:\Google\googleupdate.a3x"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
AdopeFlash = "C:\Google\AutoIt3.exe /AutoIt3ExecuteScript C:\Google\googleupdate.a3x"

Other System Modifications

This worm deletes the following files:

• C:\Google\googleupdate.vbs

It modifies the following registry entries to hide files with Hidden attributes:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = 0

(Note: The default value data of the said registry entry is "1".)

Backdoor Routine

This worm executes the following commands from a remote malicious user:

• Stop the malware process
• Start the malware
• Perform a shell command
• Delete the current malware copy and execute updated copy
• Display message box prompt
• Access receive URL
• Download file
• Perform system shut down
• Perform system restart
• Log off current user session
• Perform system standby

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• {BLOCKED}u.{BLOCKED}o.org:86

It posts the following information to its command and control (C&C) server:

• Windows volume ID
• Computer's network name
• ID of the currently logged on user.
• Country code
• OS Version
• Architecture type of the currently running Operating System
• List of installed Anti Virus product

Other Details

This worm checks for the presence of the following process(es):

• explorer.exe

It accesses the following URL(s) to get the affected system's location:

• http://www.geoplugin.net/json.gp

NOTES:

It has anti-VM routines that checks the system info, then exit if the malware is running on a VM platform.

This worm scans the system for the following modules, which are related to emulation applications:

• snxhk.dll
• SbieDll.dll
• api_log.dll
• dir_watch.dll
• dbghelp.dll
• monitornet.dll
• cuckoo
• SandCastle
• sandbox
• tracer.dll

It terminates itself if any of said modules exists.

This worm scans the system for the following process, which are related to debugging applications:

• VBoxService.exe
• VBoxTray.exe
• guninraik.exe
• SbieSvc.exe
• VMwareTray.exe
• VMwareUser.exe
• VMwareService.exe
• VMwareUser.exe
• FortiTracer.exe
• vmacthlp.exe
• vmtoolsd.exe
• BehaviorDumper.exe
• FakeHTTPServer.exe
• FakeServer.exe
• FakeHTTPServer.exe
• FakeHTTPServer.exe
• FakeHTTPServer.exe
• FakeHTTPServer.exe
• tcpview.exe
• procmon.exe

It terminates itself if any of said processes exists.

This worm scans the system for the following process, which are related to antivirus and security applications:

• avp.exe
• zonealarm.exe
• avguard.exe
• nod32kui.exe
• kavmm.exe
• fsbwsys.exe
• vmacthlp.exe
• avp.exe
• kavsvc.exe

It terminates itself if any of said processes exists.

This worm checks for the existence of following directories, which are related to debugging/emulation:

• C:\CWSandbox
• C:\python26
• C:\cuckoo

It also check the full path and file name of the current executable file:

• C:\virus\{script file name}

It terminates itself if any of said directories exist.

It copies the created C:\Google directory as {root drive}:\Skypee with file attribute RHS in all root directory, (e.g., C:\Skypee, D:\Skypee).

It drops shortcut files pointing to its copy in all folders located at the root directory. These shortcut files use the names of the folders that they were dropped in, (e.g., C:\Documents and Settings\Documents and Settings.lnk, C:\foldername\foldername.lnk, etc).