WOLYX


 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Dropped by other malware

WOLYX, or also known as ‘Olyx’, was first spotted in a package called PortalCurrent events-2009 July 5.rar, where the content suggests that it was extracted from Wikipedia community portal current events page.

WOLYX variants usually drop its DLL component file in %ProgramFiles%\Common Files\Microsoft Shared\Office12 to disguise itself as a normal Microsoft file. It installs its component file as a service for its automatic execution and memory residency on the system. This malware family needs to be injected in certain process or browser before it can perform its malicious routines thus compromising the infected system.

Most of the WOLYX variants are packaged with another backdoor capable of running on Mac OSX.

  TECHNICAL DETAILS

Payload:

Connects to URLs/IPs

Installation

This backdoor drops the following copies of itself into the affected system:

  • %User Temp\{Random filename and extension}

It drops and executes the following files:

  • %Program Files%\Common Files\Microsoft Shared\OFFICE12\MSO32.DLL

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)

It creates the following folders:

  • %System Root%\Users\Public\{AFAFB2EE-837C-4EA5-B933-998F94AEC654}
  • %System Root%\ProgramData\{AFAFB2EE-837C-4EA5-B933-998F94AEC654}
  • %Windows%\TEMP\TEMP
  • %Program Files%\Common Files\Microsoft Shared\OFFICE12

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %Windows% is the Windows folder, which is usually C:\Windows.. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)

Other System Modifications

This backdoor adds the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\Session Manager
PendingFileRenameOperations = "%User Temp\{Random filename and extension}"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WinSock2\mswsock32
1001 = "%SystemRoot%\system32\mswsock.dll"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WinSock2\mswsock32
1002 = "%SystemRoot%\system32\mswsock.dll"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WinSock2\mswsock32
1003 = "%SystemRoot%\system32\mswsock.dll"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WinSock2\mswsock32
1004 = "%SystemRoot%\system32\rsvpsp.dll"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WinSock2\mswsock32
1005 = "%SystemRoot%\system32\rsvpsp.dll"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WinSock2\mswsock32
PathName = "%Program Files%\Common Files\Microsoft Shared\OFFICE12\MSO32.DLL"

Other Details

This backdoor connects to the following possibly malicious URL:

  • {BLOCKED}.{BLOCKED}.172.177