WORM_CHIPIVER.AB

 Analysis by: Nikko Tamana

 ALIASES:

W32/Downloader_a.CMX!tr (Fortinet), Trojan-Downloader.Win32.Small (Ikarus), Worm:Win32/Chiviper.C (Microsoft), a variant of Win32/PSW.OnLineGames.QDL trojan (NOD32), Trojan.Gen.2 (Norton), Trojan.Win32.Generic!BT (Sunbelt), Trojan.Generic.KDV.723881 (Bitdefender)

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It connects to certain URLs. It may do this to remotely inform a malicious user of its installation. It may also do this to download possibly malicious files onto the computer, which puts the computer at a greater risk of infection by other threats.

  TECHNICAL DETAILS

File Size:

44,544 bytes

File Type:

EXE

Memory Resident:

No

Initial Samples Received Date:

07 Sep 2012

Arrival Details

This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following copies of itself into the affected system and executes them:

  • %User Temp%\{random filename}.tmp

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)

It drops the following file(s)/component(s):

  • %Windows%\usp10.dll
  • %User Temp%\00{random file name}.temp

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)

Other System Modifications

This worm modifies the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\Session Manager
ExcludeFromKnownDlls = "usp10.dll"

Download Routine

This worm connects to the following malicious URLs:

  • http://{BLOCKED}f.info/duqu/m97.txt
  • http://{BLOCKED}5.{BLOCKED}fla.com/tj1/post.asp?d10=08-00-27-DA-9F-73&d11=ver-jc-x98&d21=56&d22=xp

NOTES:

This worm drops copies of itself in all folders on fixed drives and removable drives containing .EXE files. This allows this worm to be loaded when an .EXE file attempts to load the legitimate USP10.DLL. This happens when an .EXE file loads DLL components from the same folder before checking in the system folders for the component DLL.