Analysis by: Mark Joseph Manahan
ALIASES:

Trojan.Win32.Bublik.zuo (Kaspersky), VirTool:Win32/CeeInject (Microsoft), Win32/Caphaw.I trojan (Eset)

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size: 315,392 bytes
File Type: EXE
Initial Samples Received Date: 11 Jan 2013

Arrival Details

This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following copies of itself into the affected system and executes them:

  • %Application Data%\{random folder found}\{filename found in %System%}

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random CLSID} = "%Application Data%\{random folder found}\{filename found in %System%}"

Other Details

This worm connects to the following possibly malicious URL:

  • https://{BLOCKED}s.cc/ping.html
  • https://{BLOCKED}ections.su/ping.html
  • https://{BLOCKED}ctions.su/ping.html

NOTES:

It creates .LNK (shortcut) files by using folder names found in removable drives. It will then hide the original folder to trick users into clicking the .LNK files.

The .LNK files point to a dropped copy of the malware in the removable drive with the path {random folder found in removable}\{random name}.{random extension}.