Modified by: Sabrina Lei Sioting
 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

This worm drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

  TECHNICAL DETAILS

File Size: 43,008 bytes
File Type: EXE
Memory Resident: Yes
Initial Samples Received Date: 21 Aug 2008

Installation

This worm drops the following copies of itself into the affected system:

  • %User Temp%\sob5467.exe

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)

It drops the following files:

  • %User Temp%\ntdbg.dat
  • %System Root%\RECYCLER\Z-1-6-22-1085480564-571221492-571812059-1003\desktop.ini
  • %System Root%\RECYCLER\Z-1-6-22-1085480564-571221492-571812059-1003\rec
  • %System Root%\RECYCLER\Z-1-6-22-1085480564-571221492-571812059-1003\send
  • %System Root%\RECYCLER\Z-1-6-22-1085480564-571221492-571812059-1003\send\sysinf
  • %System Root%\RECYCLER\Z-1-6-22-1085480564-571221492-571812059-1003\u.dat

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.. %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It creates the following folders:

  • %System Root%\RECYCLER\Z-1-6-22-1085480564-571221492-571812059-1003

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
SCMTool = "{malware path}\{malware name}"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
@ = "%User Temp%\sob5467.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
SCMTool = "{malware path}\{malware name}"

Other System Modifications

This worm adds the following registry entries as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\IExplorer
SCMTool = "{malware path}\{malware name}"

It modifies the following registry key(s)/entry(ies) as part of its installation routine:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
NoDriveTypeAutoRun = "ff"

(Note: The default value data of the said registry entry is 91.)

It adds the following registry keys as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\IExplorer

HKEY_LOCAL_MACHINE\SOFTWARE\IExplorer\
OptionalComponents

It modifies the following registry entries to hide files with Hidden attributes:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Hidden = "2"

(Note: The default value data of the said registry entry is 1.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = "0"

(Note: The default value data of the said registry entry is 1.)

Propagation

This worm creates the following folders in all removable drives:

  • Recycled

It drops the following copy(ies) of itself in all removable drives:

  • explore.exe

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

[autorun]
ShellExecute=explore.exe
Item=255
SubItem=0
SID=111D30662781