WORM_SILLY.LC

Malware type: Worm

Aliases: Worm.Win32.Flooder.a (Kaspersky), W32.SillyP2P (Symantec), Worm:Win32/Autorun.GR (Microsoft)

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

Low

Distribution potential:

Medium

Infection Channel 1 : Propagates via peer-to-peer networks


Infection Channel 2 : Propagates via removable drives


Infection Channel 3 : Copies itself in all available physical drives


Description: 

A worm is a malware that is designed to propagate and spread across networks. Worms are known to propagate using one or several of different transmission vectors like email, IRC, network shares, instant messengers (IM), and peer-to-peer (P2P) networks.

Worms do not infect files, but may carry one or more payloads, such as computer security compromise and information theft.

Worms typically modify system settings to automatically start. Users may need to terminate worms before they can be deleted. Also, restoring affected systems may require procedures other than scanning with an antivirus program.

For additional information about this threat, see:

Description created: Jan. 29, 2009 3:07:32 AM GMT -0800


TECHNICAL DETAILS


File type: PE

Memory resident:  No

Size of malware: Varies

Initial samples received on: Jan 26, 2009

Related toTROJ_AGENT.INC

Payload 1: Downloads files

Payload 2: Connects to a URL

Details:

Installation

This worm drops the following file(s)/component(s), which may possibly be malicious:

  • %System Root%\-1195302528 - non malicious file
  • %System%\4221534445.dat - non malicious file
  • %System%\crypts.dll
  • %System%\drivers\397df697.sys

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.%System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003. )

Autostart Techniques

This worm creates the following registry entry(ies) to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run
12CFG914-K641-26SF-N31P = "%system root%\RECYCLER\S-1-5-21-0243336031-4052116379-881863308-0850\vsse32.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run
12ZFG94-F641-2SF-K31P-5N1ER6H6L2 = "%System Root%\RECYCLER\S-1-5-21-0277141986-8284567213-581171959-0628\service.exe"

Other System Modifications

This worm creates the following registry key(s)/entry(ies):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon\Notify\crypt

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon\Notify\crypt
Asynchronous = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon\Notify\crypt
DLLName = "crypts.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon\Notify\crypt
Impersonate = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon\Notify\crypt
StartShell = "Run"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
397df697

Propagation via Peer-to-peer Networks

This worm drops copies of itself in the following folder(s), which is(are) used in peer-to-peer networks:

  • \Local Settings\Application Data\Ares\My Shared Folder
  • Software\BearShare\General
  • Software\DC%20%20
  • Software\iMesh\General
  • Software\Kazaa\LocalContent
  • Software\Shareaza\Shareaza\Downloads

Propagation via Physical/Removable/Floppy Drives

This worm drops a copy of itself in all physical and removable drives.

It drops an AUTORUN.INF file to automatically execute dropped copies when the drives are accessed.

The AUTORUN.INF file contains the following strings:

[autorun]
open=RECYCLER\S-1-5-21-0277141986-8284567213-581171959-0628\service.exe
icon=%SystemRoot%\system32\SHELL32.dll,4
action=Open folder to view files
shell\open=Open
shell\open\command=RECYCLER\S-1-5-21-0277141986-8284567213-581171959-0628\service.exe
shell\open\default=1

Download Routine

This worm accesses Web sites to download the following file(s):

  • http://{BLOCKED}ytub.com/progs/xpnebli/mscpmmn.php
  • http://{BLOCKED}ytub.com/progs/xpnebli/qjnxuvis.phphttp://channellili3.com/vss.exe
  • http://{BLOCKED}ytub.com/progs/xpnebli/syurof.php - detected by Trend Micro as TROJ_AGENT.INC
  • http://{BLOCKED}ytub.com/progs/xpnebli/yeofzmq.php
  • http://{BLOCKED}ytub.com/progs/xpnebli/yetlee.php - detected by Trend Micro as TROJ_AGENT.INC
  • http://{BLOCKED}ytub.com/progs/xpnebli/ziftpd.php - detected by Trend Micro as TROJ_AGENT.INC
  • http://{BLOCKED}ujpb.com/aasuper0.php
  • http://{BLOCKED}ujpb.com/aasuper1.php - detected by Trend Micro as TROJ_AGENT.INC
  • http://{BLOCKED}ujpb.com/aasuper2.php
  • http://{BLOCKED}ujpb.com/aasuper3.php - detected by Trend Micro as TROJ_AGENT.INC
  • http://{BLOCKED}ilqc.net/loaderadv563.exe

The downloaded files are saved in %System Root%.

It connects to the following Web site(s):

  • http://{BLOCKED}ytub.com/progs/xpnebli/irllzvws.php?adv=adv563
  • http://{BLOCKED}ytub.com/progs/xpnebli/jlvswpczj
  • http://{BLOCKED}ytub.com/progs/xpnebli/pfbyisf.php?adv=adv563&code1=HN0C&code2=0101&id=-1195302528&p=0
  • http://{BLOCKED}ytub.com/uniq.php?id=-1195302528&p=0

Analysis By: Erika Mendoza