Worm.Win32.CONUS.E

This Worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It does not have any backdoor routine.

Arrival Details

This Worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Worm drops a copy of itself in the following folders using different file names:

• %User Temp%\conhost.exe → if sample is not running as this path and file name
• {Removable Drive Letter}:\RECYCLER\Dcfly.exe
• {Removable Drive Letter}:\{Folder Name in the Root Path of Removable Drive}.exe

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It drops the following files:

• %User Temp%\ppxxxx → Used to hide .exe file extension and to create autorun registry, deleted afterwards
• %User Temp%\tmpx5.tmp
• %User Temp%\must.bat → executes commands that acquire information about the affected machine, deleted afterwards
• %User Temp%\t.log
• %User Temp%\s.log
• %User Temp%\workgrp.tmp
• %User Temp%\hostname.tmp
• %User Temp%\sharedir.tmp
• %User Temp%\sd.t
• %User Temp%\winword4.doc → contains the stolen information from the commands executed by %User Temp%\must.bat
• %User Temp%\WPDNSE\{Encrypted Computer Name}.NLS → archive file that contains stolen files
• {Removable Drive Letter}:\RECYCLER\{Encrypted Computer Name}.NLS → archive file that contains stolen files

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

• regini.exe %User Temp%\ppxxxx
• %User Temp%\conhost.exe → if sample is not running as this path and file name
• cmd /c %User Temp%\must.bat
• %System%\cmd.exe "cmd.exe /v:on /c %User Temp%\must.bat 2"
• %System%\cmd.exe chcp
• %System%\cmd.exe netuser
• %System%\net.exe "%System%\net1 user"
• %System%\cmd.exe "net localgroup administrators"
• %System%\net.exe "%System%\net1 localgroup administrators"
• %System%\cmd.exe tasklist
• %System%\cmd.exe systeminfo
• %System%\cmd.exe "ipconfig /all"
• %System%\cmd.exe "netstat -ano"
• %System%\cmd.exe "arp -a"
• %System%\cmd.exe "netstat -r"
• %System%\NETSTAT.EXE "%System%\cmd.exe /c "%System%\route.exe" print"
• %System%\cmd.exe "%System%\route.exe print"
• %System%\cmd.exe "nbstat -n"
• %System%\cmd.exe "nbstat -c"
• %System%\cmd.exe netstart
• %System%\net.exe "%System%\net1 start"
• %System%\cmd.exe "net use"
• %System%\cmd.exe "%System%\cmd.exe /S /D /c" echo n""
• %System%\cmd.exe "net share"
• %System%\net.exe "%System%\net1 share"
• %System%\cmd.exe "net user /domain"
• %System%\net.exe "%System%\net1 user /domain"
• %System%\cmd.exe "net view domain"
• %System%\cmd.exe "%System%\cmd.exe /S /D /c" type %User Temp%\t.log""
• %System%\cmd.exe "find /i /v "------""
• %System%\cmd.exe "%System%\cmd.exe /S /D /c" type %User Temp%\s.log""
• %System%\cmd.exe "find /i /v "domain""
• %System%\cmd.exe "%System%\cmd.exe /S /D /c" type %User Temp%\t.log""
• %System%\cmd.exe "find /i /v "completed successfully"
• %System%\cmd.exe "net view /domain:"WORKGROUP""
• %System%\cmd.exe "%System%\cmd.exe /S /D /c" type %User Temp%\workgrp.tmp""
• %System%\cmd.exe "find "\""
• %System%\cmd.exe "net view \{Networked Computer Name}""
• %System%\cmd.exe "find "Disk""
• %System%\cmd.exe "ping -n 1 {Networked Computer Name}"
• %System%\cmd.exe "findstr /i "Pinging Reply Request Unknown""
• %Program Files%\winrar\rar.exe u -apC -ed-tk -dh -hpThis32lPiece -ta{Current Date} %User Temp%\WPDNSE\{Encrypted Computer Name}.NLS "{Stolen File Name}"
• %System%\xcopy.exe /d /c /i /h /r /y %User Temp%\WPDNSE\*.NLS {Removable Drive Letter}:\RECYCLER
• %System%\xcopy.exe /d /c /i /h /r /y %User Temp%\Media\*.ldf {Removable Drive Letter}:\RECYCLER
• %System%\xcopy.exe /d /c /i /h /r /y {Removable Drive Letter}:\RECYCLER\*NLS %User Temp\WPDNSE
• %Program Files%\winrar\rar.exe u -apF -r -ed-tk -dh -sl5000000 -hpThis32lPiece -ta{Current Date} %User Temp%\WPDNSE\{Encrypted Computer Name}.NLS {Removable Drive Letter}:\*.doc {Removable Drive Letter}:\*.docx {Removable Drive Letter}:\*.pdf {Removable Drive Letter}:\*.mvd {Removable Drive Letter}:\*.tif {Removable Drive Letter}:\*.xls {Removable Drive Letter}:\*.xlsx
• %Program Files%\rar.exe u -ap172.16.19.{2-253}\C$ -r -ed -tk -dh -sl1000000 -hpThis32lPiece -ta{Current Date} %User Temp%\WPDNSE\{Encrypted Computer Name}.NLS \172.16.19.{2-253}\C$\*.doc \172.16.19.{2-253}\C$\*.docx \172.16.19.{2-253}\C$\*.pdf \172.16.19.{2-253}\C$\*.mvd \172.16.19.{2-253}\C$\*.tif \172.16.19.{2-253}\C$\*.xls \172.16.19.{2-253}\C$\*.xlsx
• %Program Files%\rar.exe u -ap172.16.20.{2-253}\C$ -r -ed -tk -dh -sl1000000 -hpThis32lPiece -ta{Current Date} %User Temp%\WPDNSE\{Encrypted Computer Name}.NLS \172.16.20.{2-253}\C$\*.doc \172.16.20.{2-253}\C$\*.docx \172.16.20.{2-253}\C$\*.pdf \172.16.20.{2-253}\C$\*.mvd \172.16.20.{2-253}\C$\*.tif \172.16.20.{2-253}\C$\*.xls \172.16.20.{2-253}\C$\*.xlsx

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000(32-bit), Server 2003(32-bit), XP, Vista(64-bit), 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit) , or C:\Program Files (x86) in Windows XP(64-bit), Vista(64-bit), 7(64-bit), 8(64-bit), 8.1(64-bit), 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It creates the following folders:

• %User Temp%\WPDNSE
• {Removable Drive Letter}:\RECYCLER

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Autostart Technique

This Worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\CurrentVersion\Windows
Load = {Malware File Path}\{Malware File name}.exe

Backdoor Routine

This Worm does not have any backdoor routine.

Rootkit Capabilities

This Worm does not have rootkit capabilities.

Information Theft

This Worm gathers the following data:

• From the infected machine:
  • Computer name
  • Current date and time
  • Windows version
  • Contents of %System%\boot.ini
  • List of user accounts
  • List of administrator groups
  • List of running processes
  • System information
  • IP configuration
  • Active connection and listening ports
  • List of running services
  • List of network connections
  • List of domain user accounts
  • List of domains
  • List of computers in the domain
  • List of directories in drives C:, D:, E:, F:, G:, H:, and I:

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

Other Details

This Worm does the following:

• It sets the attributes of folders in removable drives to hidden and system only and creates a copy of itself in the removable drive using the file name of the folder that it has hidden.
• It checks the recently opened files list, removable drives, and IPC$ shares for files with the following extensions:
  • .doc
  • .docx
  • .pdf
  • .mvd
  • .tif
  • .xls
  • .xlsx
• It then adds the found files to the archive file %User Temp%\WPDNSE\{Encrypted Computer Name}.NLS.
• It tries to access IPC$ shares using the following IP addresses:
  • {BLOCKED}.{BLOCKED}.{BLOCKED}.{2-253}
  • {BLOCKED}.{BLOCKED}.{BLOCKED}.{2-253}
• It uses the following username-password combination to access IPC$ shares:
  • A\administrator - ttmt-anat
  • A\administrator - ttmt-tcv-anat
  • TCV\migrator - anat2012

It does not exploit any vulnerability.