WORM_SWARLEY.A

Malware type: Worm

Aliases: No Alias Found

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

Medium

Distribution potential:

High

Infection Channel 1 : Propagates via email


Infection Channel 2 : Propagates via peer-to-peer networks


Infection Channel 3 : Propagates via removable drives


Description: 

This memory-resident worm arrives as an attachment to mass-mailed email messages. When executed, it copies itself into shared folders of peer-to-peer networks bearing file names of popular applications to entice users into dowloading and executing or installing these files.

It also drops copies of itself in all physical and removable drives of the affected system, further enhancing the effectivity of its propagation routine for users sharing or accessing drives from other machines. Along with it is an AUTORUN.INF file that allows the copy's automatic execution once the removable of physical drive is accessed.

This worm is also capable of attaching itself into emails that contain any of the following details:

It uses its own Simple Mail Transfer Protocol (SMTP) engine to send these emails.

To get a one-glance comprehensive view of the behavior of WORM_SWARLEY.A, refer to the Behavior Diagram shown below.

WORM_SWARLEY.A Behavior Diagram

For its payload, this worm displays the following image to trick the user into thinking that it is a non-malicious file:

It also attempts to connect to certain Web sites possibly to download other malware or an updated copy of itself.

For additional information about this threat, see:

Description created: Jan. 21, 2009 5:43:28 PM GMT -0800


TECHNICAL DETAILS


File type: PE

Memory resident:  Yes

Size of malware: 387,584 Bytes (.EXE file); 158,750 Bytes (.DLL file)

Initial samples received on: Jan 21, 2009

Payload 1: Displays graphics

Payload 2: Connects to a URL

Details:

Arrival, Installation, and Autostart Technique

This worm arrives as an attachment to mass-mailed email messages.

Upon execution, it drops the following file(s):

  • %System%\javaqs.exe - also detected as WORM_SWARLEY.A
  • %System%\javaupd.exe - copy of itself

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It creates the following registry entry(ies) to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Policies\Explorer\Run
Java update = "%System%\javaqs.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Java update = "%System%\javaqs.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Kaspersky Email Security = "%System%\javaupd.exe"

Other System Modifications

This worm creates the following registry key(s)/entry(ies) as part of its installation routine:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer
bloody-thursday = "1"
dieing = "19"

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Explorer\CabinetFileStateKAV

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\
{1A2K5H58-65CP-B7PP-F600-3023OJX71M20}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Explorer\CabinetFileStateKAV

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\List
%System%\javaupd.exe = "%System%\javaupd.exe:*:Enabled:Explorer"

Propagation via Peer-to-peer Networks

This worm copies itself into the shared folders of peer-to-peer applications using the following file names:

  • Absolute Video Converter 6.2.exe
  • Acker DVD Ripper 2009.exe
  • Ad-aware 2008.exe
  • Adobe Acrobat Reader keygen.exe
  • Adobe Photoshop CS4 crack.exe
  • Alcohol 120 v1.9.7.exe
  • BitDefender AntiVirus 2009 Keygen.exe
  • CleanMyPC Registry Cleaner v6.02.exe
  • Daemon Tools Pro 4.11.exe
  • Divx Pro 6.8.0.19 %20 keymaker.exe
  • Download Accelerator Plus v8.7.5.exe
  • Download Boost 2.0.exe
  • FOOTBALL MANAGER 2009.exe
  • G-Force Platinum v3.7.5.exe
  • Google Earth Pro 4.2. with Maps and crack.exe
  • Half life 3 preview 10 minutes gameplay video.exe
  • Internet Download Manager V5.exe
  • Joannas Horde Leveling Guide TBC Woltk.exe
  • K-Lite codec pack 4.0 gold.exe
  • Kaspersky Internet Security 2009 keygen.exe
  • LimeWire Pro v4.18.3.exe
  • Microsoft Visual Studio 2008 KeyGen.exe
  • Motorola, nokia, ericsson mobil phone tools.exe
  • Myspace theme collection.exe
  • Nero 8 Ultra Edition 8.0.3.0 Full Retail.exe
  • Norton Anti-Virus 2009 Enterprise Crack.exe
  • Opera 10 cracked.exe
  • Password Cracker.exe
  • Perfect keylogger family edition with crack.exe
  • Power ISO v4.2 %20 keygen axxo.exe
  • Red Alert 3 keygen and trainer.exe
  • Silkroad Online guides and wallpapers.exe
  • Smart Draw 2008 keygen.exe
  • Sophos antivirus updater bypass.exe
  • Super Utilities Pro 2009 11.0.exe
  • TCN ISO cable modem hacking tools.exe
  • TCN ISO SigmaX2 firmware.bin.exe
  • Tuneup Ultilities 2008.exe
  • Ultimate ring tones package1 (Beethoven,Bach, Baris Manco,Lambada,Chopin, Greensleves).exe
  • Ultimate ring tones package2 (Lil Wayne - Way Of Life,Khia - My Neck My Back Like My Pussy And My Crack,Mario - Let Me Love You,R. Kelly - The Worlds Greatest).exe
  • Ultimate ring tones package3 (Crazy In Love, U Got It Bad, 50 Cent - P.I.M.P, Jennifer Lopez Feat. Ll Cool J - All I Have, 50 Cent - 21 Question).exe
  • Ultimate xxx password generator 2009.exe
  • VmWare keygen.exe
  • Winamp.Pro.v6.53.PowerPack.Portable [XmaS edition].exe
  • Windows 2008 Enterprise Server VMWare Virtual Machine.exe
  • Windows XP PRO Corp SP3 valid-key generator.exe
  • WinRAR v3.x keygen RaZoR.exe
  • Wow WoLTk keygen generator-sfx.exe
  • xbox360 flashing tools and guide including bricked drive fix.exe
  • Youtube Music Downloader 1.0.exe

Propagation via Removable Drives

This worm drops copies of itself in all removable drives. It also drops an AUTORUN.INF file to automatically execute dropped copies when the drives are accessed.

The said .INF file contains the following strings:

[AutoRun]
open=RECYCLER\S-1-6-21-2434476521-1645641927-702000330-1542\redmond.exe
icon=%System%\SHELL32.dll,4
action=Open folder to view files
shell\open=Open
shell\open\command=RECYCLER\S-1-6-21-2434476521-1645641927-702000330-1542\redmond.exe
shell\open\default=1

Propagation via Email

This worm gathers target email addresses from files with the following file extensions:

  • .chm
  • .doc
  • .htm
  • .pdf
  • .tmp
  • .txt

It uses its own Simple Mail Transfer Protocol (SMTP) engine to send email messages with a copy of itself as attachment. The email messages it sends out bear the following details:

Other Details

This worm displays the following image(s) to trick the user into thinking that it is a non-malicious file:

It connects to the following Web site(s):

  • http://{BLOCKED}myip.com/automation/n09230945.asp

It runs on Windows 98, ME, NT, 2000, XP, and and Server 2003.

Analysis By: Jeffrey F. Bernardino

Revision History:

First pattern file version: 5.786.05
First pattern file release date: Jan 22, 2009

SOLUTION


Minimum scan engine version needed: 8.700

Pattern file needed: 5.797.00

Pattern release date: Jan 26, 2009


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

For Windows ME and XP users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.


 Step 1: Scan your computer with your Trend Micro product and note files detected as WORM_SWARLEY.A 

     Step 2: Terminate the process detected as WORM_SWARLEY.A [learn how]

    *Note:

    1. For Windows 98 and ME users, the Windows Task Manager may not display all running processes. In this case, please use a third-party process viewer, preferably Process Explorer, to terminate the malware/grayware/spyware file. You may download the said tool here.
    2. If the detected file is displayed in either Windows Task Manager or Process Explorer but you cannot delete it, restart your computer in safe mode. To do this, refer to this link for the complete steps.
    3. If the detected file is not displayed in either Windows Task Manager or Process Explorer, continue doing the next steps.

       Step 3:  Delete these registry keys and entries [learn how]

      Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

      • In HKEY_CURRENT_USER\Software\Microsoft\Windows\
        CurrentVersion\Policies\Explorer\Run
        • Java update = "%System%\javaqs.exe"
      • In HKEY_CURRENT_USER\Software\Microsoft\
        Windows\CurrentVersion\Run
        • Java update = "%System%\javaqs.exe"
      • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
        Windows\CurrentVersion\Run
        • Kaspersky Email Security = "%System%\javaupd.exe"
      • In HKEY_CURRENT_USER\Software\Microsoft\Windows\
        CurrentVersion\Explorer
        • bloody-thursday = "1"
        • dieing = "19"
      • In HKEY_CURRENT_USER\Software\Microsoft\Windows\
        CurrentVersion\Explorer
        • CabinetFileStateKAV
      • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
        Active Setup\Installed Components
        • {1A2K5H58-65CP-B7PP-F600-3023OJX71M20}
      • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
        Windows\CurrentVersion\Explorer
        • CabinetFileStateKAV
      • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
        SharedAccess\Parameters\FirewallPolicy\StandardProfile\
        AuthorizedApplications\List
        • %System%\javaupd.exe = "%System%\javaupd.exe:*:Enabled:Explorer"

       Step 4: Search and delete AUTORUN.INF files created by WORM_SWARLEY.A that contain these strings  [learn how]

        [AutoRun]
        open=RECYCLER\S-1-6-21-2434476521-1645641927-702000330-1542\redmond.exe
        icon=%System%\SHELL32.dll,4
        action=Open folder to view files
        shell\open=Open
        shell\open\command=RECYCLER\S-1-6-21-2434476521-1645641927-702000330-1542\redmond.exe
        shell\open\default=1

       Step 5: Scan your computer with your Trend Micro product to delete files detected as WORM_SWARLEY.A  

      *Note: If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

       



      Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.