Analysis by: Anthony Joe Melgarejo
ALIASES:

Worm:Win32/Xema.gen!B (Microsoft), Backdoor.Trojan (Symantec), W32/Tzhen.worm (McAfee), W32/DollarR.AGS!tr.bdr (Fortinet), W32/Backdoor.AUCW (F-Prot), Win32/VB.AGS trojan (ESET)

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This worm arrives via removable drives.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

  TECHNICAL DETAILS

File Size: 186,368 bytes
File Type: EXE
Memory Resident: Yes
Initial Samples Received Date: 07 Apr 2009

Arrival Details

This worm arrives via removable drives.

Installation

This worm drops the following copies of itself into the affected system and executes them:

  • %System%\Lcass.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)

It drops the following files:

  • %System%\Lcass.dll
  • %System%\Mswinsck.ocx
  • %System%\Ntsvc.ocx

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)

Autostart Technique

This worm registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\PnP plug 0n Service
Type = "110"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\PnP plug 0n Service
Start = "2"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\PnP plug 0n Service
ErrorControl = "1"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\PnP plug 0n Service
ImagePath = "%System%\Lcass.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\PnP plug 0n Service
DisplayName = "PnP plug 0n Service"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\PnP plug 0n Service
ObjectName = "LocalSystem"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\PnP plug 0n Service
FailureActions = "{random values}"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\PnP plug 0n Service
Description = "?????????????,???????????????????????????????????????"

It registers as a system service to ensure its automatic execution at every system startup by adding the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\PnP plug 0n Service

Other System Modifications

This worm adds the following registry keys:

HKEY_CLASSES_ROOT\MSWinsock.Winsock

HKEY_CLASSES_ROOT\MSWinsock.Winsock.1

HKEY_CLASSES_ROOT\NTService.Control.1

HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}

HKEY_CLASSES_ROOT\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}

HKEY_CLASSES_ROOT\CLSID\{E7BC34A3-BA86-11CF-84B1-CBC2DA68BF6C}

HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}

HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}

HKEY_CLASSES_ROOT\Interface\{E7BC34A1-BA86-11CF-84B1-CBC2DA68BF6C}

HKEY_CLASSES_ROOT\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}

HKEY_CLASSES_ROOT\TypeLib\{E7BC34A0-BA86-11CF-84B1-CBC2DA68BF6C}

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Eventlog\Application\
PnP plug 0n Service

It adds the following registry entries:

HKEY_CLASSES_ROOT\MSWinsock.Winsock
(Default) = "Microsoft WinSock Control, version 6.0"

HKEY_CLASSES_ROOT\MSWinsock.Winsock.1
(Default) = "Microsoft WinSock Control, version 6.0"

HKEY_CLASSES_ROOT\NTService.Control.1
(Default) = "NT Service Control"

HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}
(Default) = "Microsoft WinSock Control, version 6.0"

HKEY_CLASSES_ROOT\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}
(Default) = "Winsock General Property Page Object"

HKEY_CLASSES_ROOT\CLSID\{E7BC34A3-BA86-11CF-84B1-CBC2DA68BF6C}
(Default) = "NT Service Control"

HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}
(Default) = "IMSWinsockControl"

HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}
(Default) = "DMSWinsockControlEvents"

HKEY_CLASSES_ROOT\Interface\{E7BC34A1-BA86-11CF-84B1-CBC2DA68BF6C}
(Default) = "_DNtSvc"

HKEY_CLASSES_ROOT\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\
1.0
(Default) = "Microsoft Winsock Control 6.0 (SP5)"

HKEY_CLASSES_ROOT\TypeLib\{E7BC34A0-BA86-11CF-84B1-CBC2DA68BF6C}\
1.0
(Default) = "Microsoft NT Service Control"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Eventlog\Application\
PnP plug 0n Service
EventMessageFile = "%System%\Ntsvc.ocx"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Eventlog\Application\
PnP plug 0n Service
TypesSupported = "7"

Propagation

This worm creates the following folders in all removable drives:

  • {drive letter}:\RECYCLER

It drops the following copy(ies) of itself in all removable drives:

  • {drive letter}:\RECYCLER\Lcass.exe

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

[autorun]
open=.\RECYCLER\Lcass.exe
shell\1=??(&O)
shell\1\Command=.\RECYCLER\Lcass.exe
shell\2\=??(&V)...
shell\2\Command=.\RECYCLER\Lcass.exe
shellexecute=.\RECYCLER\Lcass.exe

Other Details

This worm connects to the following possibly malicious URL:

  • {BLOCKED}n.{BLOCKED}2.org