ALIASES:

Microsoft: Koceg; Symantec: Mandaph; Sunbelt: Socks; Authentium: Socks; ClamAV: Socks; Fortinet: Socks; Fprot: Socks; Ikarus: Socks; Eset: Socks; Panda: Socks; VBA32: Socks

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel: Propagates via removable drives

The SOCKS malware family is known for spreading through removable drives. It is also used to control the affected systems using commands from a remote server.

  TECHNICAL DETAILS

Payload: Compromises system security, Connects to URLs/IPs

Installation

This worm drops the following files:

  • %AppDataLocal%\cftmon.exe
  • %System%\drivers\spools.exe
  • {drive letter}\autorun.exe

(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local on Windows Vista and 7.. %System% is the Windows system folder, which is usually C:\Windows\System32.)

It drops the following copies of itself into the affected system:

  • %AppDataLocal%\cftmon.exe
  • %System%\drivers\spools.exe
  • {drive letter}\autorun.exe

(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local on Windows Vista and 7.. %System% is the Windows system folder, which is usually C:\Windows\System32.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
ntuser = "%System%\drivers\spools.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
autoload = "%AppDataLocal%\cftmon.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
ntuser = "%System%\drivers\spools.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
autoload = "%AppDataLocal%\cftmon.exe"

It modifies the following registry entry(ies) to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Shell = "Explorer.exe"

(Note: The default value data of the said registry entry is Explorer.exe.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
UserInit = "%System%\userinit.exe,"

(Note: The default value data of the said registry entry is %System%\userinit.exe,.)

Other System Modifications

This worm modifies the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
UIHost = "logonui.exe"

(Note: The default value data of the said registry entry is logonui.exe.)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Schedule
ImagePath = "%System%\drivers\spools.exe"

(Note: The default value data of the said registry entry is %SystemRoot%\System32\svchost.exe -k netsvcs.)

It deletes the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Browser Helper Objects

Other Details

This worm connects to the following possibly malicious URL:

  • http://{BLOCKED}wfwe.com
  • http://{BLOCKED}we.net
  • http://www.{BLOCKED}ains.com/domain_profile.cfm?d=fewfwe&e=com