WORM_TZHEN.A
Worm:Win32/Xema.gen!B (Microsoft), Backdoor.Trojan (Symantec), W32/Tzhen.worm (McAfee), W32/DollarR.AGS!tr.bdr (Fortinet), W32/Backdoor.AUCW (F-Prot), Win32/VB.AGS trojan (ESET)
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit)
Threat Type: Worm
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This worm arrives via removable drives.
It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
TECHNICAL DETAILS
186,368 bytes
EXE
Yes
07 Apr 2009
Arrival Details
This worm arrives via removable drives.
Installation
This worm drops the following copies of itself into the affected system and executes them:
- %System%\Lcass.exe
(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)
It drops the following files:
- %System%\Lcass.dll
- %System%\Mswinsck.ocx
- %System%\Ntsvc.ocx
(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)
Autostart Technique
This worm registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\PnP plug 0n Service
Type = "110"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\PnP plug 0n Service
Start = "2"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\PnP plug 0n Service
ErrorControl = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\PnP plug 0n Service
ImagePath = "%System%\Lcass.exe"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\PnP plug 0n Service
DisplayName = "PnP plug 0n Service"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\PnP plug 0n Service
ObjectName = "LocalSystem"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\PnP plug 0n Service
FailureActions = "{random values}"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\PnP plug 0n Service
Description = "?????????????,???????????????????????????????????????"
It registers as a system service to ensure its automatic execution at every system startup by adding the following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\PnP plug 0n Service
Other System Modifications
This worm adds the following registry keys:
HKEY_CLASSES_ROOT\MSWinsock.Winsock
HKEY_CLASSES_ROOT\MSWinsock.Winsock.1
HKEY_CLASSES_ROOT\NTService.Control.1
HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}
HKEY_CLASSES_ROOT\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}
HKEY_CLASSES_ROOT\CLSID\{E7BC34A3-BA86-11CF-84B1-CBC2DA68BF6C}
HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}
HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}
HKEY_CLASSES_ROOT\Interface\{E7BC34A1-BA86-11CF-84B1-CBC2DA68BF6C}
HKEY_CLASSES_ROOT\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}
HKEY_CLASSES_ROOT\TypeLib\{E7BC34A0-BA86-11CF-84B1-CBC2DA68BF6C}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Eventlog\Application\
PnP plug 0n Service
It adds the following registry entries:
HKEY_CLASSES_ROOT\MSWinsock.Winsock
(Default) = "Microsoft WinSock Control, version 6.0"
HKEY_CLASSES_ROOT\MSWinsock.Winsock.1
(Default) = "Microsoft WinSock Control, version 6.0"
HKEY_CLASSES_ROOT\NTService.Control.1
(Default) = "NT Service Control"
HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}
(Default) = "Microsoft WinSock Control, version 6.0"
HKEY_CLASSES_ROOT\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}
(Default) = "Winsock General Property Page Object"
HKEY_CLASSES_ROOT\CLSID\{E7BC34A3-BA86-11CF-84B1-CBC2DA68BF6C}
(Default) = "NT Service Control"
HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}
(Default) = "IMSWinsockControl"
HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}
(Default) = "DMSWinsockControlEvents"
HKEY_CLASSES_ROOT\Interface\{E7BC34A1-BA86-11CF-84B1-CBC2DA68BF6C}
(Default) = "_DNtSvc"
HKEY_CLASSES_ROOT\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\
1.0
(Default) = "Microsoft Winsock Control 6.0 (SP5)"
HKEY_CLASSES_ROOT\TypeLib\{E7BC34A0-BA86-11CF-84B1-CBC2DA68BF6C}\
1.0
(Default) = "Microsoft NT Service Control"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Eventlog\Application\
PnP plug 0n Service
EventMessageFile = "%System%\Ntsvc.ocx"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Eventlog\Application\
PnP plug 0n Service
TypesSupported = "7"
Propagation
This worm creates the following folders in all removable drives:
- {drive letter}:\RECYCLER
It drops the following copy(ies) of itself in all removable drives:
- {drive letter}:\RECYCLER\Lcass.exe
It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
The said .INF file contains the following strings:
[autorun]
open=.\RECYCLER\Lcass.exe
shell\1=??(&O)
shell\1\Command=.\RECYCLER\Lcass.exe
shell\2\=??(&V)...
shell\2\Command=.\RECYCLER\Lcass.exe
shellexecute=.\RECYCLER\Lcass.exe
Other Details
This worm connects to the following possibly malicious URL:
- {BLOCKED}n.{BLOCKED}2.org