WORM_IPPEDO.EP

Infection Channel:

Via physical/removable drives, Dropped by other malware, Downloaded from the Internet

This worm arrives via removable drives. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system.

File Size:

1,330,176 bytes

File Type:

EXE

Memory Resident:

Yes

Initial Samples Received Date:

10 Feb 2017

Payload:

Connects to URLs/IPs, Steals information

Arrival Details

This worm arrives via removable drives.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following files:

%System Root%\Google\Windowsupdate.lnk
%System Root%\Google\GoogleUpdate.lnk
{All Drive}\Skypee\Windowsupdate.lnk
{All Drive}\Skypee\Googleupdate.lnk

(Note: %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.)

It drops the following copies of itself into the affected system:

%System Root%\Google\{malware name}
{All Drive}\Skypee\{malware name}

(Note: %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.)

It creates the following folders:

%System Root%\Google
%System Root%\Skypee

(Note: %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

googleupdate

It terminates itself if it finds the following processes in the affected system's memory:

combination of the following processes:
- avp.exe, zonealarm.exe, avguard.exe
- tcpview.exe, procmon.exe, nod32kui.exe
- kavmm.exe, procmon.exe, fsbwsys.exe
- vmacthlp.exe, avp.exe, kavsvc.exe
VBoxService.exe
VBoxTray.exe
guninraik.exe
SbieSvc.exe
VMWareTray.exe
VMWareUser.exe
VMWareService.exe
FortiTracer.exe
vmacthlp.exe
vmtoolsd.exe
BehaviorDumper.exe
FakeHTTPServer.exe
FakeServer.exe

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
Windows Update = “%System Root%\Google\Windowsupdate.lnk”

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Windows Update = “%System Root%\Google\Windowsupdate.lnk”

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
JavaUpdate = “%System Root%\Google\GoogleUpdate.lnk”

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
AdopeUpdate = “%System Root%\Google\GoogleUpdate.lnk”

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
NewJavaInstall = “%System Root%\Google\{malware name}”

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
AdopeFlash = “%System Root%\Google\{malware name}”

It enables its automatic execution at every system startup by dropping the following copies of itself into the Windows Common Startup folder:

Windows Update.lnk
GoogleUpdate.lnk

Other System Modifications

This worm deletes the following files:

googleupdate.vbs

It modifies the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = “0”

(Note: The default value data of the said registry entry is {User Preference}.)

It deletes the following registry keys:

HKEY_CLASSES_ROOT\lnkfile
IsShortcut =

Propagation

This worm creates the following folder in all physical and removable drives:

{All Drive}\Skypee

It drops the following copies of itself in all physical and removable drives:

{All Drive}\Skypee\{malware name}

Backdoor Routine

This worm executes the following commands from a remote malicious user:

Restart malware
Display message box
Access a a url specified by remote user
Execute command through cmd.exe
Download arbitrary files
Restart
Uninstall malware
Update copy
Capture screenshot
Create executable file with arbitrary code

It connects to the following URL(s) to send and receive commands from a remote malicious user:

colaa.{BLOCKED}tp.com:2015

Information Theft

This worm gathers the following data:

Malware ID
Computer Home Drive
Computer Name
User Name
Country
OS Version
OS Architecture
Webcam Info(“Yes” or “No”)
Malware Version
Installed AV application
Active Window Title

Other Details

This worm terminates itself if any of the following file(s) are present:

snxhk.dll
tracer.dll
SbieDll.dll
api_log.dll
dir_watch.dll
dbghelp.dll
monitornet.dll
cuckoo
SandCastle
sandbox
tracer.dll

It accesses the following URL(s) to get the affected system's location:

http://www.geoplugin.net/json.gp

NOTES:

If the OS Version is Windows 7 or Windows XP, it will retrieve system information using the following command:

%comspec /c SystemInfo

It terminates itself if system information contains the following strings:

Bochs
innotek
VMWare

It terminates itself if the following folders are present:

C:\CWSandbox
C:\python26
C:\cuckoo

It terminates itself if the malware is executed in the following directories:

C:\virus
C:\

It terminates itself if malware name meets the following conditions:

contains "artifact" string
contains "sample" string
malware filename length is greater than 35
malware filename does not start with 7 or more digits of numbers
malware filename does not start with "."

It terminates itself if the following process is not present:

explorer.exeM

It copies files and folders in malware path to the following folders:

%System Root%\Google
{All Drive}\Skypee

It creates the following shortcut (.LNK) files in removable drives that points to its copy:

My Games
My Pictuers
My Videos
Hot
Downloads
Movies
Skypee\Skypee

It also creates shortcut (.LNK) files using folder names as its filename in folders in all of the drives that points to its copy.

It also copies all files found in the executed malware path to the created Skypee folder.

Minimum Scan Engine:

9.850

FIRST VSAPI PATTERN FILE:

13.212.05

FIRST VSAPI PATTERN DATE:

10 Feb 2017

VSAPI OPR PATTERN File:

13.213.00

VSAPI OPR PATTERN Date:

11 Feb 2017

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.

Step 3

Restart in Safe Mode

[ Learn More ]

Step 4

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

In HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- Windows Update = “%System Root%\Google\Windowsupdate.lnk”
In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- Windows Update = “%System Root%\Google\Windowsupdate.lnk”
In HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- JavaUpdate = “%System Root%\Google\GoogleUpdate.lnk”
In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- AdopeUpdate = “%System Root%\Google\GoogleUpdate.lnk”
In HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- NewJavaInstall = “%System Root%\Google\{malware name}”
In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- AdopeFlash = “%System Root%\Google\{malware name}”

Step 5

Restore this modified registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden = “0”

Step 6

Restore this deleted registry key/value from backup

*Note: Only Microsoft-related keys/values will be restored. If the malware/grayware also deleted registry keys/values related to programs that are not from Microsoft, please reinstall those programs on your computer.

In HKEY_CLASSES_ROOT\lnkfile
IsShortcut

Step 7

Search and delete these folders

[ Learn More ]

Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden folders in the search result.

%System Root%\Google
{All Drive}\Skypee

Step 8

Search and delete these files

[ Learn More ]

There may be some files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result.

%User Startup%\Windows Update.lnk
%User Startup%\GoogleUpdate.lnk
{Removable Drive}\My Games.lnk
{Removable Drive}\My Pictuers.lnk
{Removable Drive}\My Videos.lnk
{Removable Drive}\Hot.lnk
{Removable Drive}\Downloads.lnk
{Removable Drive}\Movies.lnk

Step 9

Restart in normal mode and scan your computer with your Trend Micro product for files detected as WORM_IPPEDO.EP. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

Did this description help? Tell us how we did.

OVERVIEW

TECHNICAL DETAILS

SOLUTION

Resources

Support

About Trend

Country Headquarters

WORM_IPPEDO.EP

OVERVIEW

TECHNICAL DETAILS

SOLUTION

Resources

Support

About Trend

Country Headquarters

The Americas

Middle East & Africa

Europe

Asia & Pacific