WORM_GOLROTED.D

This worm arrives via removable drives. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

Arrival Details

This worm arrives via removable drives.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following files:

• %Application Data%\WindowsUpdate.exe (detected as WORM_GOLROTED.SMV1)
• %Application Data%\pid.txt
• %Application Data%\pidloc.txt
• %User Temp%\screens\screenshot{1, 2, 3, ...}.jpeg (takes screenshots every 10 minutes)

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It drops and executes the following files:

• %User Temp%\7136\7136.exe (detected as WORM_GOLROTED.SMV1)

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Windows Update = "%Application Data%\WindowsUpdate.exe"

Other System Modifications

This worm adds the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
ESENT\Process\7136

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
ESENT\Process\7136\
DEBUG

Propagation

This worm drops the following copy(ies) of itself in all removable drives:

• {Removable drive}:\Sys.exe

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

[autorun]
open=Sys.exe
action=Run win32

Download Routine

This worm connects to the following URL(s) to download its component file(s):

• www.{BLOCKED}ad.{BLOCKED}update.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt
• www.{BLOCKED}ad.{BLOCKED}update.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
• www.{BLOCKED}ad.{BLOCKED}update.com/msdownload/update/v3/static/trustedr/en/B1BC968BD4F49D622AA89A81F2150152A41D829C.crt

Information Theft

This worm gathers the following data:

• Keylogger details
• Server name
• Keyboard logs
• Clipboard logs
• Time logs
• Stealer details
• System time
• Installed language
• Operating system
• Internal IP address
• External IP address
• Installed Anti-virus
• Installed Firewall

It attempts to steal stored email credentials from the following:

• IncrediMail
• Eudora
• Group Mail Free
• MS Outlook
• MS Outlook 2002/2003/2007/2010
• Gmail
• Hotmail/MSN
• Yahoo! Mail
• Netscape Mail
• Thunderbird
• Google Desktop
• Windows Mail
• Windows Live Mail
• Outlook 2013
• Internet Account Manager

It attempts to get stored information such as user names, passwords, and hostnames from the following browsers:

• IE
• Firefox
• Chrome
• Chrome SxS
• Opera
• Safari
• SeaMonkey

NOTES:

This worm access the following Simple Mail Transfer Protocol (SMTP) servers in preparation to send its stolen information:

• smtp.live.com

It disables the following processes:

• taskmgr.exe
• cmd.exe
• msconfig.exe
• regedit.exe

It also searches for CD keys, product keys, and serial numbers of the following applications:

• Spinter Cell Pandora Tomorrow
• Splinter Cell Chaos Theory
• Call of Duty
• Call of Duty United Offensive
• Call of Duty 2
• Call of Duty 4
• Call of Duty WAW
• Dawn of Warm
• Dawn of War - Dark Crusade
• Medieval II Total War
• Adobe Goolive
• Nero 7
• ACDSystems PicAView
• Act of War
• Adobe Photoshop 7
• Advanced PDF Password Recovery
• Advanced PDF Password Recovery Pro
• Advanced ZIP Password Recovery
• Anno 1701
• Ashamopp WinOptimizer Platinum
• AV Voice Changer, Battlefield(1942)
• Battlefield 1942 Secret Weapons of WWII
• Battlefield 1942 The Road to Rome
• Battlefield 2, Battlefield(2142)
• Battlefield Vietnam
• Black and White
• Black and White 2
• Boulder Dash Rocks
• Burnout Paradise
• Camtasia Studio 4(Name)
• Chrome, Codec Tweak Tool
• Command and Conquer Generals
• Command and Conquer Generals Zero Hour
• Red Aler 2
• Red Alert
• Command and Conquer Tiberian Sun
• Command and Conquer 3
• Company of Heroes
• Counter-Strike, Crysis
• CyberLink PowerDVD
• CyberLink PowerBar
• CyberLink PowerProducer
• Day of Defeat
• The Battle for Middle-earth II
• The Sims 2
• The Sims 2 University
• The Sims 2 Nightlife
• The Sims 2 Open For Business
• The Sims 2 Pets
• The Sims 2 Seasons
• The Sims 2 Glamour Life Stuff
• The Sims 2 Celebration Stuff
• The Sims 2 H M Fashion Stuff
• The Sims 2 Family Fun Stuff
• DVD Audio Extractor
• Empire Earth II
• F.E.A.R, F-Secure
• FARCRY, FARCRY 2
• FIFA 2002
• FIFA 2003
• FIFA 2004
• FIFA 2005
• FIFA 07
• FIFA 08
• Freedom Force
• Frontlines: Fuel of War Beta
• GetRight
• Global Operations
• Gunman, Half-Life
• Hellgate: London
• Hidden & Dangerous 2
• IGI 2 Retail
• InCD
• iPod Converter
• James Bond 007 Nightfire
• Status Legends of Might and Mahic
• Macromedia Flash 7
• Macromedia Fireworks 7
• Macromedia Dreamweaver 7
• Madden NFL 07
• Matrix Screensave
• Medal of Honor Airborne
• Medal of Honor Allied Assault
• Medal of Honor Allied Assault: Breakthrough
• Medal of Honor Allied Assault: Spearhead
• Medal of Honor: Heroes 2
• mIRC
• Nascar Racing 2002
• Nascar Racing 2003
• NHL 2002
• NBA LIVE 2003
• NBA LIVE 2004
• NBA LIVE 07
• NBA Live 08
• Need for Speed Carbon
• Need for Speed Hot Pursuit 2
• Need for Speed Most Wanted
• Need for Speed ProStreet
• Need for Speed Underground
• Need for Speed Underground 2
• Nero - Burning Rom
• Nero 7
• Nero 8
• NHL 2003
• NHL 2004
• NHL 2005
• NOX, Numega SmartCheck
• Online TVPlayer
• O&O Defrag 8.0
• Partition Magic 8.0
• Passware Encryption Analyzer
• Passware Windows Key
• PowerDVD, PowerStrip
• Pro Evolution Soccer 2008
• Rainbow Six III RavenShield
• Shogun Total War Warlord Edition
• Sid(Meier)'s Pirates!
• Sim City 4 Deluxe
• Sim City 4
• Sniffer Pro 4.5
• Soldiers of Anarchy
• Stalker - Shadow of Chernobyl
• Star Wars Battlefront II(v1.0)
• Star Wars Battlefront II(v1.1)
• Steganos Internet Anonym VPN
• Supreme Commander
• S.W.A.T 2
• S.W.A.T 3
• S.W.A.T 4
• TechSmith SnagIt
• Texas Calculatem 4
• The Orange Box
• TMPGEnc DVD Author
• TuneUp 2007
• TuneUp 2008
• TuneUp 2009
• Winamp
• SPORE(TM)
• Mirror's Edge
• Half-Life
• Halo
• Grand Theft Auto IV
• PES2009
• Dead Space
• Battlefield 2 Special Forces
• Transformers2
• Bully Scholarship Edition