WORM_OBFUSCA.JS
Trojan.Win32.SelfDel.bvv (Kaspersky), variant of Win32/VBObfus.HR trojan (Eset)
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Worm
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It uses Windows Task Scheduler to create a scheduled task that executes the dropped copy.
It bypasses the Windows firewall. This allows the malware to perform its intended routine without being detected by an installed firewall.
It deletes itself after execution.
TECHNICAL DETAILS
69,632 bytes
, EXE
Yes
29 Nov 2012
Arrival Details
This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This worm drops the following files:
- %User Profile%\{random}.exe
- %User Profile%\{random}.exe
- %User Profile%\Passwords.exe
- %User Profile%\Porn.exe
- %User Profile%\runme.exe
- %User Profile%\Secret.exe
- %User Profile%\Sexy.exe
- %Application Data%\{random folder}\svcnost.exe
- %System%\DLL1805.dll
- {Removable Drive}\{random}.exe
- {Removable Drive}\Passwords.exe
- {Removable Drive}\Porn.exe
- {Removable Drive}\Secret.exe
- {Removable Drive}\Sexy.exe
- {Removable Drive}\x.mpeg
(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.. %System% is the Windows system folder, which is usually C:\Windows\System32.)
It uses Windows Task Scheduler to create a scheduled task that executes the dropped copy.
It creates the following folders:
- %Application Data%\{random folder}
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)
Autostart Technique
This worm adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random} = "%User Profile%\{random}.exe /{random letter}"
The scheduled task executes the malware every:
- 1 hour for {time} for 24 hours every day, starting {date}
Other System Modifications
This worm adds the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows\WindowsUpdate\
AU
It adds the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows\WindowsUpdate\
AU
NoAutoUpdate = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{random}\Parameters
ServiceDll = "%System%\DLL1805.dll"
It modifies the following registry entries to hide files with Hidden attributes:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = "0"
(Note: The default value data of the said registry entry is 1.)
It modifies the following registry entries to disable the Windows Firewall settings:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
EnableFirewall = "0"
(Note: The default value data of the said registry entry is 1.)
Other Details
This worm connects to the following possibly malicious URL:
- {BLOCKED}8.ddnsx.eu
- {BLOCKED}.{BLOCKE}.75.246
- {BLOCKED}.{BLOCKED}.8.80
- {BLOCKED}.{BLOCKED}.189.111
- {BLOCKED}2.mwtu.ru
- {BLOCKED}.{BLOCKED}.124.97
- {BLOCKED}.{BLOCKED}.5.169
It deletes itself after execution.