WORM_SCAR.TI
Trojan.Gen (Symantec); Trojan:Win32/Alureon.CT (Microsoft); Trojan-Dropper.Win32.TDSS.efj (Kaspersky); Generic Dropper.uc (Mcafee)
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Worm
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It drops copies of itself in all removable drives.
TECHNICAL DETAILS
119,808 bytes
EXE
Yes
11 May 2011
Arrival Details
This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This worm drops the following copies of itself into the affected system:
- %User Temp%\{malware filename}.exe
(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)
Autostart Technique
This worm modifies the following registry entries to ensure it automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Userinit = "%System%\userinit.exe, %User Temp%\{malware file name}.exe"
(Note: The default value data of the said registry entry is "%System%\userinit.exe,".)
Other System Modifications
This worm adds the following registry entries:
HKEY_USERS\.DEFAULT\Software\
Microsoft\Internet Explorer\international
acceptlanguage = "en-us"
HKEY_USERS\.DEFAULT\Software\
Microsoft\Internet Explorer\Main\
featurecontrol\FEATURE_BROWSER_EMULATION
svchost.exe = "dword:000022b8"
HKEY_USERS\.DEFAULT\Software\
Microsoft\Windows\CurrentVersion\
Internet Settings
maxhttpredirects = "dword:000022b8"
HKEY_USERS\.DEFAULT\Software\
Microsoft\Windows\CurrentVersion\
Internet Settings
enablehttp1_1 = "1"
It modifies the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Hidden = 2
(Note: The default value data of the said registry entry is 1.)
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
HideFileExt = 2
(Note: The default value data of the said registry entry is 0.)
HKEY_USERS\.DEFAULT\Software\
Microsoft\Windows\CurrentVersion\
Internet Settings\Zones\3
CurrentLevel = 0
(Note: The default value data of the said registry entry is 11000.)
HKEY_USERS\.DEFAULT\Software\
Microsoft\Windows\CurrentVersion\
Internet Settings\Zones\3
1601 = 0
(Note: The default value data of the said registry entry is 1.)
Propagation
This worm drops copies of itself in all removable drives.