WORM_SILLY

This description is based is a compiled analysis of several variants of WORM_SILLY. Note that specific data such as file names and registry values may vary for each variant.

This worm arrives as an attachment to email messages spammed by other malware/grayware or malicious users. It arrives via removable drives. It may be dropped by other malware. It may be unknowingly downloaded by a user while visiting malicious websites.

It drops copies of itself into network drives. It drops copies of itself in all drives. These dropped copies use the names of the folders located on the said drives for their file names. It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

It opens a random port to allow a remote user to connect to the affected system. Once a successful connection is established, the remote user executes commands on the affected system. It executes commands from a remote malicious user, effectively compromising the affected system.

It logs a user's keystrokes to steal information.

It sends gathered information to a predetermined email address using its own Simple Mail Transfer Protocol (SMTP) engine.

Arrival Details

This worm arrives as an attachment to email messages spammed by other malware/grayware or malicious users.

It arrives via removable drives.

It may arrive via network shares.

It may be dropped by other malware.

It may be unknowingly downloaded by a user while visiting malicious websites.

Installation

This worm drops the following copies of itself into the affected system:

• %System Root%\{malware file name}.exe
• %Windows%\{malware file name}.exe
• %User Temp%\{malware file name}.exe
• %Application Data%\Microsoft\{malware-assigned folder name}\{malware file name}.exe
• %System%\{malware folder name}\{malware file name}.exe
• %Application Data%\{malware folder name}\{malware file name}.exe

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.. %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.. %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It creates the following folders:

• %Application Data%\{malware folder name}
• %Program Files%\Common Files\{malware folder name}
• %System%\{malware folder name}
• %User Temp%\{malware folder name}
• %Windows%\{malware folder name}

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.. %Program Files% is the default Program Files folder, usually C:\Program Files.. %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.. %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{malware name} = "{malware path and file name}"

Other System Modifications

This worm adds the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\{malware name}

It modifies the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Hidden = "0"

(Note: The default value data of the said registry entry is 1.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
HideFileExt = "1"

(Note: The default value data of the said registry entry is 0.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = "0"

(Note: The default value data of the said registry entry is 1.)

Propagation

This worm creates the following folders in all removable drives:

• {drive letter}:\RECYCLER

It drops the following copy(ies) of itself in all removable drives:

• {malware file name}.exe
• {drive letter}:\RÈCYCLER\thumbs.db

It drops copies of itself into network drives.

It drops copies of itself in all drives. These dropped copies use the names of the folders located on the said drives for their file names.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

Backdoor Routine

This worm opens a random port to allow a remote user to connect to the affected system. Once a successful connection is established, the remote user executes commands on the affected system.

It executes the following commands from a remote malicious user:

• Act as a SOCKS server
• Download an updated copy of itself or other malware
• Enumerate and kill processes
• Enumerate and kill threads
• Launch denial of service (DoS) attack
• Modify HOSTS file
• Seed files
• Send messages using MSN, AIM, Triton
• Sniff network traffic
• Steal Protected Storage data

Information Theft

This worm logs a user's keystrokes to steal information.

Stolen Information

This worm sends gathered information to a predetermined email address using its own Simple Mail Transfer Protocol (SMTP) engine.

NOTES:

This description is based is a compiled analysis of several variants of WORM_SILLY. Note that specific data such as file names and registry values may vary for each variant.