WORM_TUFIK.AJ

This worm may be downloaded by other malware/grayware/spyware from remote sites. It may be unknowingly downloaded by a user while visiting malicious websites.

It uses the default Windows folder icon to trick users into opening the file. Double-clicking the file executes this malware.

It drops copies of itself in removable drives. These dropped copies use the names of the folders located on the said drives for their file names. The sent messages contains a link where a copy of the malware may be downloaded.

However, as of this writing, the said sites are inaccessible.

Arrival Details

This worm may be downloaded by other malware/grayware/spyware from remote sites.

It may be unknowingly downloaded by a user while visiting malicious websites.

Installation

This worm drops the following non-malicious files:

• %System%\Xpen.dat
• %System%\Penx.dat
• %Windows%\wininit.ini

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.. %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

It drops the following copies of itself into the affected system:

• %Windows%\dc.exe
• %Windows%\SVIQ.EXE
• %System%\WinSit.exe
• %System%\config\Win.exe
• %Windows%\system\Fun.exe
• %Windows%\inf\Other.exe
• %Windows%\Help\Other.exe

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.. %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It uses the default Windows folder icon to trick users into opening the file. Double-clicking the file executes this malware.

It injects threads into the following normal process(es):

• csrss.exe
• lsass.exe

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
dc2k5 = "%Windows%\SVIQ.EXE"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Fun = "%Windows%\system\Fun.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
dc = "%Windows%\dc.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\CurrentVersion\Windows
run = "%System%\config\Win.exe"

It modifies the following registry entry(ies) to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\CurrentVersion\Windows
load = "%Windows%\inf\Other.exe"

(Note: The default value data of the said registry entry is "".)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Shell = "Explorer.exe %System%\WinSit.exe"

(Note: The default value data of the said registry entry is "Explorer.exe".)

Propagation

This worm drops copies of itself in removable drives. These dropped copies use the names of the folders located on the said drives for their file names.

The sent messages contain the following link(s), where a copy of the malware may be downloaded:

• http://{BLOCKED}oivb.googlepages.com/NWB.txt

It sends copies of itself to target recipients using the following instant-messaging (IM) applications:

• Yahoo! Messenger

It sends the following messages using the aforementioned Instant Messaging applications:

Chuc mung, ban da tam thoi thoat khoi Worm DungCoi
http://{BLOCKED}ivb.googlepages.com/NWB.txt
Olalala, may tinh cua ban da dinh Worm DungCoi...........

Backdoor Routine

However, as of this writing, the said sites are inaccessible.

Other Details

This worm connects to the following possibly malicious URL:

• http://{BLOCKED}ivb.googlepages.com