Analysis by: JessaD
 PLATFORM:

Windows 2000, XP, Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel: Propagates via email, Propagates via peer-to-peer networks, Propagates via removable drives

This worm arrives as attachment to mass-mailed email messages. It may be downloaded by other malware/grayware/spyware from remote sites. It may be unknowingly downloaded by a user while visiting malicious websites.

It drops copies of itself in all removable drives. It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

It hides files, processes, and/or registry entries.

  TECHNICAL DETAILS

File Size: Varies
Memory Resident: Yes
Initial Samples Received Date: 10 Aug 2010
Payload: Drops files, Hides files and processes, Terminates processes

Arrival Details

This worm arrives as attachment to mass-mailed email messages.

It may be downloaded by other malware/grayware/spyware from remote sites.

It may be unknowingly downloaded by a user while visiting malicious websites.

Installation

This worm drops the following copies of itself into the affected system and executes them:

  • %System%\HPWuSchde.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It drops the following files:

  • %Windows%\areader.dll - data file

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

It drops the following file(s)/component(s):

  • %System%\hp-24570.exe - also detected as WORM_BLAKCONT.W
  • %System%\reader_sl.exe - also detected as WORM_BLAKCONT.W
  • %User Profile%\Application Data\SystemProc\lsass.exe - also detected as WORM_BLAKCONT.W
  • %Windows%\reader_sl.exe - also detected as WORM_BLAKCONT.W

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.. %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.. %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

It drops the following component file(s):

  • %Program Files%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul - detected as JS_DURSG.H

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files.)

It creates the following folders:

  • %Program Files%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}
  • %User Profile%\Application Data\SystemProc

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files.. %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

  • HPWuSchde.exe{Random characters}

It uses the following names for the copies it drops:

  • [+ MrKey +] Windows XP PRO Corp SP3 valid-key generator.exe
  • [antihack tool] Trojan Killer v2.9.4173.exe
  • [Eni0j0 team] Vmvare keygen.exe
  • [Eni0j0 team] Windows 7 Ultimate keygen.exe
  • [fixed]RapidShare Killer AIO 2010.exe
  • [patched, serial not need] Nero 9.x keygen.exe
  • [patched, serial not needed] Absolute Video Converter 6.2-7.exe
  • [patched, serial not needed] PDF to Word Converter 3.4.exe
  • [patched, serial not needed] PDF Unlocker v2.0.5.exePDF-XChange Pro.exe
  • Ad-aware 2010.exe
  • Adobe Acrobat Reader keygen.exe
  • Adobe Illustrator CS4 crack.exe
  • Adobe Photoshop CS4 crack by M0N5KI Hack Group.exe
  • Alcohol 120 v1.9.x.exe
  • Anti-Porn v13.x.x.x.exe
  • AnyDVD HD v.6.3.1.8 Beta incl crack.exe
  • AOL Instant Messenger (AIM) Hacker.exe
  • AOL Password Cracker.exe
  • Ashampoo Snap 3.xx [Skarleot Group].exe
  • Avast 4.x Professional.exe
  • Avast 5.x Professional.exe
  • BitDefender AntiVirus 2010 Keygen.exe
  • Blaze DVD Player Pro v6.52.exe
  • Brutus FTP Cracker.exe
  • CleanMyPC Registry Cleaner v6.02.exe
  • Counter-Strike Serial key generator [Miona patch].exe
  • Daemon Tools Pro 4.8.exe
  • DCOM Exploit archive.exe
  • DivX 5.x Pro KeyGen generator.exe
  • Divx Pro 7.x version Keymaker.exe
  • Download Accelerator Plus v9.2.exe
  • Download Boost 2.0.exe
  • DVD Tools Nero 10.x.x.x.exe
  • FTP Cracker.exe
  • G-Force Platinum v3.7.6.exe
  • Google SketchUp 7.1 Pro.exe
  • Grand Theft Auto IV [Offline Activation + mouse patch].exe
  • Half-Life 2 Downloader.exe
  • Hotmail Cracker [Brute method].exe
  • Hotmail Hacker [Brute method].exe
  • ICQ Hacker Trial version [brute].exe
  • Image Size Reducer Pro v1.0.1.exe
  • Internet Download Manager V5.exe
  • IP Nuker.exe
  • K-Lite Mega Codec v5.2 Portable.exe
  • K-Lite Mega Codec v5.2.exe
  • Kaspersky AntiVirus 2010 crack.exe
  • Kaspersky Internet Security 2010 keygen.exe
  • Keylogger unique builder.exe
  • L0pht 4.0 Windows Password Cracker.exe
  • LimeWire Pro v4.18.3 [Cracked by AnalGin].exe
  • Magic Video Converter 8.exe
  • McAfee Total Protection 2010 [serial patch by AnalGin].exe
  • Microsoft Visual Basic KeyGen.exe
  • Microsoft Visual C++ KeyGen.exe
  • Microsoft Visual Studio KeyGen.exe
  • Microsoft.Windows 7 ULTIMATE FINAL activator+keygen x86.exe
  • Motorola, nokia, ericsson mobil phone tools.exe
  • Mp3 Splitter and Joiner Pro v3.48.exe
  • MSN Password Cracker.exe
  • Myspace theme collection.exe
  • NetBIOS Cracker.exe
  • NetBIOS Hacker.exe
  • Norton Anti-Virus 2005 Enterprise Crack.exe
  • Norton Anti-Virus 2010 Enterprise Crack.exe
  • Norton Internet Security 2010 crack.exe
  • Password Cracker.exe
  • PDF password remover (works with all acrobat reader).exe
  • Power ISO v4.4 + keygen milon.exe
  • Rapidshare Auto Downloader 3.8.6.exe
  • sdbot with NetBIOS Spread.exe
  • Sophos antivirus updater bypass.exe
  • Sub7 2.5.1 Private.exe
  • Super Utilities Pro 2009 11.0.exe
  • Total Commander7 license+keygen.exe
  • Tuneup Ultilities 2010.exe
  • Twitter FriendAdder 2.3.9.exe
  • UT 2003 KeyGen.exe
  • VmWare 7.x keygen.exe
  • Website Hacker.exe
  • Winamp.Pro.v7.xx.PowerPack.Portable+installer.exe
  • Windows 2008 Enterprise Server VMWare Virtual Machine.exe
  • Windows Password Cracker + Elar3 key.exe
  • Windows2008 keygen and activator.exe
  • WinRAR v3.x keygen [by HiXem].exe
  • Youtube Music Downloader 1.3.exe
  • YouTubeGet 5.6.exe

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer\Run
Adobe Reader Speed Launcher = "%Windows%\reader_sl.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Adobe Reader Speed Launcher = "%Windows%\reader_sl.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
HP Software Updater II = "%System%\HPWuSchde.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\ {SID}
StubPath = "%Windows%\reader_sl.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
Explorer\Run
RTHDBPL = "%User Profile%\Application Data\SystemProc\lsass.exe"

Other System Modifications

This worm adds the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\
HP91
(Default) =  

It adds the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\CurrentVersion
||||||||||||||||||||||||||||||... = "1"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer
h8 = "{number}"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer
h9 = "{number}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
EnableLUA = "0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\ERSvc
DeleteFlag = "1"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\ERSvc
FailureActions = "hex:0a,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00, 00,00,00,00,b8,0b,00,00,"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%System%\\HPWuSchde.exe = "%System%\HPWuSchde.exe:*:Enabled:Explorer"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wscsvc
DeleteFlag = "1"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wscsvc
FailureActions = "hex:0a,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00, 00,00,00,00,b8,0b,00,00,"

It modifies the following registry key(s)/entry(ies) as part of its installation routine:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\ERSvc
Start = "4"

(Note: The default value data of the said registry entry is "2".)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wscsvc
Start = "4"

(Note: The default value data of the said registry entry is "2".)

Propagation

This worm creates the following folders in all removable drives:

  • %Removable Drive%\RECYCLER

It drops copies of itself into the following folders used in peer-to-peer (P2P) networks:

  • %Program Files%\bearshare\shared\
  • %Program Files%\edonkey2000\incoming\
  • %Program Files%\emule\incoming\
  • %Program Files%\grokster\my grokster\
  • %Program Files%\icq\shared folder\
  • %Program Files%\kazaa lite k++\my shared folder\
  • %Program Files%\kazaa lite\my shared folder\
  • %Program Files%\kazaa\my shared folder\
  • %Program Files%\limewire\shared\
  • %Program Files%\morpheus\my shared folder\
  • %Program Files%\tesla\files\
  • %Program Files%\winmx\shared\

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files.)

It drops copies of itself in all removable drives.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

[autorun]
open=RECYCLER\S-1-6-21-2434476521-1645641927-702000330-1542\redmond.exe
icon=%System Root%\system32\SHELL32.dll,4
action=Open folder to view files
shell\open=Open
shell\open\command=RECYCLER\S-1-6-21-2434476521-1645641927-702000330-1542\redmond.exe
shell\open\default=1

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It avoids sending email messages to addresses containing the following strings:

    • .gov
    • abuse
    • acd-group
    • {BLOCKED}t.com
    • {BLOCKED}tems.com
    • acketst
    • admin
    • ahnlab
    • {BLOCKED}l-lucent.com
    • anyone
    • apache
    • arin
    • avg.comsysinternals
    • avira
    • badware
    • berkeley
    • bitdefender
    • {BLOCKED}n.ch
    • borlan
    • bpsoft com
    • bsd
    • {BLOCKED}r.com
    • cerific
    • certific
    • cisco
    • clamav
    • contact
    • debian
    • drweb
    • {BLOCKED}t.com
    • example
    • f-secure
    • fido
    • firefox
    • fsf.
    • {BLOCKED}r.com
    • gimp
    • gnu
    • gold-certs
    • gov.
    • honeynet
    • honeypot
    • iana
    • {BLOCKED}m.com
    • icrosoft
    • idefense
    • ietf
    • ikarus
    • {BLOCKED}tyinc.com
    • inpris
    • isc.o
    • isi.e
    • jgsoft
    • kaspersky
    • kernel
    • lavasoft
    • linux
    • listserv
    • mcafee
    • messagelabs
    • mit.e
    • mozilla
    • mydomai
    • nobody
    • nodomai
    • noone
    • nothing
    • novirusthanks
    • ntivi
    • {BLOCKED}ft.org
    • panda
    • pgp
    • postmaster
    • prevx
    • privacy
    • qualys
    • {BLOCKED}or.com
    • rating
    • redhat
    • rfc-ed
    • ruslis
    • sales
    • samba
    • samples
    • secur
    • security
    • sendmail
    • service
    • slashdot
    • somebody
    • someone
    • sopho
    • sourceforge
    • spam
    • spm
    • {BLOCKED}h.com
    • submit
    • {BLOCKED}n.com
    • support
    • suse
    • syman
    • tanford.e
    • the.bat
    • unix
    • usenet
    • utgers.ed
    • virus
    • virusbuster
    • webmaster
    • websense
    • winamp
    • winpcap
    • wireshark
    • www.{BLOCKED}m

Rootkit Capabilities

This worm hides files, processes, and/or registry entries.

Process Termination

This worm terminates processes or services that contain any of the following strings if found running in the affected system's memory:

  • Almon.exe
  • ALSvc.exe
  • APvxdwin.exe
  • ashdisp.exe
  • ashserv.exe
  • avcenter.exe
  • avciman.exe
  • AVENGINE.exe
  • avgcsrvx.exe
  • avgemc.exe
  • avgnt.exe
  • avgrsx.exe
  • avgtray.exe
  • avguard.exe
  • avgui.exe
  • avgwdsvc.exe
  • avp.exe
  • bdagent.exe
  • bdss.exe
  • CCenter.exe
  • drweb32w.exe
  • drwebupw.exe
  • egui.exe
  • ekrn.exe
  • emproxy.exe
  • FPAVServer.exe
  • FprotTray.exe
  • FPWin.exe
  • guardgui.exe
  • HWAPI.exe
  • iface.exe
  • isafe.exe
  • K7EmlPxy.exe
  • K7RTScan.exe
  • K7SysTry.exe
  • K7TSecurity.exe
  • K7TSMngr.exe
  • livesrv.exe
  • mcagent.exe
  • mcmscsvc.exe
  • McNASvc.exe
  • mcods.exe
  • mcpromgr.exe
  • McProxy.exe
  • Mcshield.exe
  • mcsysmon.exe
  • mcvsshld.exe
  • MpfSrv.exe
  • mps.exe
  • mskagent.exe
  • msksrver.exe
  • NTRtScan.exe
  • Pavbckpt.exe
  • PavFnSvr.exe
  • PavPrSrv.exe
  • PAVSRV51.exe
  • pccnt.exe
  • PSCtrlS.exe
  • PShost.exe
  • PsIMSVC.exe
  • psksvc.exe
  • Rav.exe
  • RavMon.exe
  • RavmonD.exe
  • RavStub.exe
  • RavTask.exe
  • RedirSvc.exe
  • SavAdminService.exe
  • SavMain.exe
  • SavService.exe
  • sbamtray.exe
  • sbamui.exe
  • seccenter.exe
  • spidergui.exe
  • SrvLoad.exe
  • TmListen.exe
  • TPSRV.exe
  • vetmsg.exe
  • vsserv.exe
  • Webproxy.exe
  • xcommsvr.exe

Other Details

Based on analysis of the codes, it has the following capabilities:

  • Attempts to determine the SMTP Simple Mail Transfer Protocol (SMTP) server of the affected system by using the gathered domain name and the following prefixes:
    • mx.
    • mail.
    • smtp.
    • mx1.
    • mxs.
    • mail1.
    • relay.
    • ns.
    • gate.
  • Checks the location of the Windows Address Book by querying the following registry key:

    HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4\Wab File Name

  • Searches for email addresses in the following folder:
    • %User Profile%\Local Settings\Temporary Internet Files
  • Harvests email addresses from files with the following extensions:
    • .txt
    • .htm
    • .xml
    • .php
    • .asp
    • .dbx
    • .log
    • .nfo
    • .lst
    • .rtf
    • .xml
    • .wpd
    • .wps
    • .xls
    • .doc
    • .wab
  • Uses its own Simple Mail Transfer Protocol (SMTP) engine to send email messages with a copy of itself as attachment. The email messages it sends out bear the following details:

    From:
    e-cards@hallmark.com
    invitations@twitter.com
    invitations@hi5.com
    order-update@amazon.com
    resume-thanks@google.com
    update@facebookmail.com

    Subject:
    You have received A Hallmark E-Card!
    Your friend invited you to Twitter!
    Laura would like to be your friend on hi5!
    Shipping update for your Amazon.com order.
    Thank you from Google!
    You have got a new message on Facebook!

It connects to the following URL(s) to get the affected system's IP address:

  • http://{BLOCKED}myip.com/automation/n09230945.asp

  SOLUTION

Minimum Scan Engine: 8.900
VSAPI PATTERN File: 7.376.19
VSAPI PATTERN Date: 11 Aug 2010
VSAPI PATTERN Date: 8/11/2010 12:00:00 AM
FIRST VSAPI PATTERN FILE: 7.374.05
FIRST VSAPI PATTERN DATE: 10 Aug 2010

Step 1

For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

Step 2

Remove malware files dropped/downloaded by WORM_BLAKCONT.W

    •  JS_DURSG.H

Step 3

Delete this registry key

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

 
  • In HKEY_CURRENT_USER\Software\Microsoft\
    • HP91

Step 4

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Policies\ Explorer\Run
    • Adobe Reader Speed Launcher = %Windows%\reader_sl.exe
  • In HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Run
    • Adobe Reader Speed Launcher = %Windows%\reader_sl.exe
  • In HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Run
    • HP Software Updater II = %System%\HPWuSchde.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Active Setup\Installed Components\ {SID}
    • StubPath = %Windows%\reader_sl.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\policies\ Explorer\Run
    • RTHDBPL = %User Profile%\Application Data\SystemProc\lsass.exe
  • In HKEY_CURRENT_USER\Software\Microsoft\ Windows NT\CurrentVersion
    • ||||||||||||||||||||||||||||||... = 1
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
    • h8 = {number}
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
    • h9 = {number}
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    • EnableLUA = 0
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ERSvc
    • DeleteFlag = 1
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ERSvc
    • FailureActions = hex:0a,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,b8,0b,00,00,
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    • %System%\HPWuSchde.exe = %System%\HPWuSchde.exe:*:Enabled:Explorer
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc
    • DeleteFlag = 1
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc
    • FailureActions = hex:0a,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,b8,0b,00,00,

Step 5

Restore this modified registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ERSvc
    • From: Start = 4
      To: Start = 2
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc
    • From: Start = 4
      To: Start = 2

Step 6

Search and delete this file

[ Learn More ]
There may be some component files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden files and folders in the search result.
  • %Windows%\areader.dll - data file 

Step 7

Scan your computer with your Trend Micro product to delete files detected as


*Note: If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.