- Threat Encyclopedia
- Malware
- WORM_ACKANTTA.C
W32.Ackantta.B@mm (Symantec); Trojan:Win32/Hiloti (Microsoft); W32/Xirtem@MM (Mcafee); Troj/Agent-PVB (Sophos)
Windows 2000, Windows XP, Windows Server 2003
Propagates via removable drives, Propagates via peer-to-peer networks
This worm checks if Mozilla Thunderbird is installed in the affected system. It checks for the SMTP server used by this application by checking the file prefs.js and use it to send email messages containing a copy of itself to harvested email addresses.
This worm does not have any downloading capability.
This worm does not have any information-stealing capability.
This worm arrives as attachment to mass-mailed email messages. It arrives via removable drives. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It drops copies of itself in all removable drives. It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
It also has rootkit capabilities, which enables it to hide its processes and files from the user.
It executes the dropped file(s). As a result, malicious routines of the dropped files are exhibited on the affected system.
595,456 bytes
EXE
Yes
22 Dec 2010
Drops files
Arrival Details
This worm arrives as attachment to mass-mailed email messages.
It arrives via removable drives.
It may arrive via network shares.
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This worm drops the following copies of itself into the affected system:
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
It adds the following mutexes to ensure that only one of its copies runs at any one time:
Autostart Technique
This worm adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Adobe Updater 7.2 = "%System%\AdobeAQM.exe"
Other System Modifications
This worm adds the following registry keys:
HKEY_CURRENT_USER\Software\AdobeARM7
HKEY_LOCAL_MACHINE\SOFTWARE\AdobeARM7
It adds the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer
gnome1ass = "12"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer
gnome2ass = "22"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%System%\AdobeAQM.exe = "%System%\AdobeAQM.exe:*:Enabled:Explorer"
Propagation
This worm creates the following folders in all removable drives:
It drops copies of itself into the following folders used in peer-to-peer (P2P) networks:
(Note: %Program Files% is the default Program Files folder, usually C:\Program Files.. %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)
It searches the network for the following shared networks onto which it attempts to drop copies of itself:
It drops the following copy(ies) of itself in all removable drives:
It drops copies of itself in all removable drives.
It uses the following file names for the copies it drops into shared networks:
It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
The said .INF file contains the following strings:
[autorun]
open=RECYCLER\S-1-6-21-2434476521-1645645927-702000330-1542\autorun.exe
icon=%SystemRoot%\system32\SHELL32.dll,4
action=Open folder to view files
shell\open=Open
shell\open\command=RECYCLER\S-1-6-21-2434476521-1645645927-702000330-1542\autorun.exe
shell\open\default=1
It uses the following user name and password to gain access to password-protected shares:
It gathers target email addresses from files with the following extensions:
It avoids sending email messages to addresses containing the following strings:
Rootkit Capabilities
This worm also has rootkit capabilities, which enables it to hide its processes and files from the user.
Dropping Routine
This worm drops the following files:
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
It executes the dropped file(s). As a result, malicious routines of the dropped files are exhibited on the affected system.
NOTES:
Download Routine
This worm does not have any downloading capability.
Information Theft
This worm does not have any information-stealing capability.
Other Details
This worm connects to the following URL(s) to get the affected system's IP address:
It checks if Mozilla Thunderbird is installed in the affected system. It checks for the SMTP server used by this application by checking the file prefs.js and use it to send email messages containing a copy of itself to harvested email addresses.
It checks for the presence of the following registry entry to check for SMTP server used in the affected system:
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts
SMTP Server = ""
If no SMTP servers are found from the abovementioned routines, it tries to guess the Simple Mail Transfer Protocol (SMTP) server of the affected system, using the gathered domain name and the following prefixes:
It then creates threads that are used to create its own SMTP engine.
The said engine uses the SMTP servers gathered from the machine and sends email messages containing a copy of itself to email addresses gathered from the abovementioned routine.
It checks for the location of the Windows Address Book by querying the following registry key to gather email addresses:
HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4\
{WAB file name}
It uses the following names for the copies that it drops in folders used in peer-to-peer networks:
It accesses network drives to search for *.EXE and *.MSI files. Using the legitimate programs Wextract and Iexpress, it creates a Win32 Cabinet Self-Extractor containing the found file and a copy of itself. It then deletes the original file and replaces this with the created self-extracting file. Executing this file runs both the legitimate application and the malware copy. Trend Micro detects the said file as TROJ_DRPLACO.SM1.
This worm does not exploit any vulnerability.
9.200
7.718.02
23 Dec 2010
7.719.00
23 Dec 2010
Step 1
For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.
Step 2
Remove malware files dropped/downloaded by WORM_ACKANTTA.C
Step 3
Restart in Safe Mode
Step 4
Delete this registry value
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
Step 5
Delete this registry key
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
Step 6
Search and delete AUTORUN.INF files created by WORM_ACKANTTA.C that contain these strings
Step 7
Search and delete this folder
Step 8
Restart in normal mode and scan your computer with your Trend Micro product for files detected as WORM_ACKANTTA.C. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.