WORM_CARRIER.AS

This worm may be downloaded by other malware/grayware/spyware from remote sites. It may be unknowingly downloaded by a user while visiting malicious websites.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system. It uses icons similar to those of legitimate applications to entice a user to click them.

It executes commands from a remote malicious user, effectively compromising the affected system.

Arrival Details

This worm may be downloaded by other malware/grayware/spyware from remote sites.

It may be unknowingly downloaded by a user while visiting malicious websites.

Installation

This worm drops the following copies of itself into the affected system:

• %Application Data%\Microsoft\winlogon.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• GTaAxQEmC:a`/Vz

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
winlogon.exe = "%Application Data%\Microsoft\winlogon.exe"

Propagation

This worm drops the following copy(ies) of itself in all removable drives:

• winlogon.exe

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

[autorun]
shell=verb
open=winlogon.exe
action=Open folder to view files
shell\open=Open
icon=%SystemRoot%\system32\SHELL32.dll,4

It uses icons similar to those of legitimate applications to entice a user to click them.

Backdoor Routine

This worm opens the following port(s) where it listens for remote commands:

• TCP port 3174

It executes the following commands from a remote malicious user:

• Downloads and executes files
• Updates itself
• Launches DDoS attacks (SYN Flood or UDP Flood)
• Stops and uninstalls itself
• Terminates processes
• Sends application privileges and system uptime
• Displays a message box
• Steals Mozilla Firefox password details
• Sends system related information
• Reports which USB infected drives were infected
• Steals Mozilla Firefox saved user names and passwords

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• {BLOCKED}9.{BLOCKED}5.19.117