WORM_ZHELAT
Windows
Threat Type: Worm
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
Propagates via email, Infects files
WORM_ZHELAT is the Trend Micro detection for malicious files, which, together with NUWAR, belong to the STORM botnet campaign. It spread across systems via mass mailing copies of itself as an attachment. The spammed messages use fake news in its topics.
This Worm arrives as an attachment to email messages spammed by other malware/grayware or malicious users.
It disables Task Manager, Registry Editor, and Folder Options.
TECHNICAL DETAILS
Arrival Details
This Worm arrives as an attachment to email messages spammed by other malware/grayware or malicious users.
Installation
This Worm drops the following copies of itself into the affected system:
- %System%\kernels32.exe
- %System%\kernelwind32.exe
(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)
Autostart Technique
This Worm adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
System = "%System%\kernels32.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
System = "%System%\kernelwind32.exe"
Other System Modifications
This Worm creates the following registry entry(ies) to disable Task Manager, Registry Tools and Folder Options:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableTaskMgr = "1"
Other Details
This Worm connects to the following possibly malicious URL:
- http://{BLOCKED}ount.net/adv/039/adload.php?{random characters}
- http://{BLOCKED}ount.net/pic/search.jpg
- http://{BLOCKED}ount.net/pic/winlogon.jpg
- http://{BLOCKED}ount.net/pic/tibs.jpg
- http://{BLOCKED}ount.net/pic/tool.jpg
- http://{BLOCKED}ount.net/pic/proxy.jpg
- http://{BLOCKED}ount.net/32647543ygwvrhbjt3h4evjrbgnrt.php?adv=39&code1=JO0I&code2=3260