Where to Buy Trend Micro Products

For Home

For Small Business

1-888-762-8736
(M-F 8:00am-5:00pm CST)

For Enterprise

1-877-218-7353
(M-F 8:00am-5:00pm CST)

Not in the United States?
Select the country/language of your choice:

Asia Pacific Region

Europe

The Americas

Not in the United States?
Select the country/language of your choice:

Asia/Pacific

Europe

America

Login

For Home

For Business

For Partners

Threat Encyclopedia

WORM_SOCKS


ALIASES:

Microsoft: Koceg; Symantec: Mandaph; Sunbelt: Socks; Authentium: Socks; ClamAV: Socks; Fortinet: Socks; Fprot: Socks; Ikarus: Socks; Eset: Socks; Panda: Socks; VBA32: Socks

PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

OVERALL RISK RATING:
DAMAGE POTENTIAL:
DISTRIBUTION POTENTIAL:
REPORTED INFECTION:
INFORMATION EXPOSURE:

  • Threat Type:Worm

  • Destructiveness:No

  • Encrypted:

  • In the wild: Yes

OVERVIEW

Infection Channel:

Propagates via removable drives


The SOCKS malware family is known for spreading through removable drives. It is also used to control the affected systems using commands from a remote server.

TECHNICAL DETAILS

Payload:

Compromises system security, Connects to URLs/IPs

Installation

This worm drops the following files:

  • %AppDataLocal%\cftmon.exe
  • %System%\drivers\spools.exe
  • {drive letter}\autorun.exe

(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local on Windows Vista and 7.. %System% is the Windows system folder, which is usually C:\Windows\System32.)

It drops the following copies of itself into the affected system:

  • %AppDataLocal%\cftmon.exe
  • %System%\drivers\spools.exe
  • {drive letter}\autorun.exe

(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local on Windows Vista and 7.. %System% is the Windows system folder, which is usually C:\Windows\System32.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
ntuser = "%System%\drivers\spools.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
autoload = "%AppDataLocal%\cftmon.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
ntuser = "%System%\drivers\spools.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
autoload = "%AppDataLocal%\cftmon.exe"

It modifies the following registry entry(ies) to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Shell = "Explorer.exe"

(Note: The default value data of the said registry entry is Explorer.exe.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
UserInit = "%System%\userinit.exe,"

(Note: The default value data of the said registry entry is %System%\userinit.exe,.)

Other System Modifications

This worm modifies the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
UIHost = "logonui.exe"

(Note: The default value data of the said registry entry is logonui.exe.)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Schedule
ImagePath = "%System%\drivers\spools.exe"

(Note: The default value data of the said registry entry is %SystemRoot%\System32\svchost.exe -k netsvcs.)

It deletes the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Browser Helper Objects

Other Details

This worm connects to the following possibly malicious URL:

  • http://{BLOCKED}wfwe.com
  • http://{BLOCKED}we.net
  • http://www.{BLOCKED}ains.com/domain_profile.cfm?d=fewfwe&e=com

Featured Stories

Connect with us on