WORM_UTOTI.KDR

October 08, 2012
 Analysis by: JasperM
 PLATFORM:

Windows 2000, XP, Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Propagates via peer-to-peer networks

This worm may be dropped by other malware. It may be unknowingly downloaded by a user while visiting malicious websites. However, as of this writing, the said sites are inaccessible.

It drops copies of itself into all the removable drives connected to an affected system. It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

It opens a random port to allow a remote user to connect to the affected system. Once a successful connection is established, the remote user executes commands on the affected system.

It connects to certain websites to send and receive information.

  TECHNICAL DETAILS

File Size:

510,416 bytes

File Type:

PE

Memory Resident:

Yes

Initial Samples Received Date:

14 Sep 2010

Payload:

Compromises system security

Arrival Details

This worm may be dropped by other malware.

It may be unknowingly downloaded by a user while visiting malicious websites.

However, as of this writing, the said sites are inaccessible.

Installation

This worm drops the following copies of itself into the affected system:

  • %System%\csrcs.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
Explorer\Run
csrcs = "%System%\csrcs.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunServices
csrcs = "%System%\csrcs.exe"

It modifies the following registry entry(ies) to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Shell = Explorer.exe csrcs.exe

(Note: The default value data of the said registry entry is Explorer.exe.)

Other System Modifications

This worm also creates the following registry entry(ies) as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
DRM\amty
ilop = 1

It modifies the following registry entries to hide files with Hidden attributes:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Hidden = 2

(Note: The default value data of the said registry entry is 1.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = 0

(Note: The default value data of the said registry entry is 1.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
SuperHidden = 0

(Note: The default value data of the said registry entry is 1.)

Propagation

This worm drops copies of itself into all the removable drives connected to an affected system.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

[Autorun]
action=view files
open={malware filename}.exe
shell\open\Command={malware filename}.exe
shell\open\Default=1
Icon=%system%\shell32.dll,7
UseAutoPLay=1

Backdoor Routine

This worm opens a random port to allow a remote user to connect to the affected system. Once a successful connection is established, the remote user executes commands on the affected system.

Other Details

Based on analysis of the codes, it has the following capabilities:

  • Ths malware drops copies to shared folders used by the following P2P applications: FrostWir, eMule, Kazaa, LimeWire, and Shareaza DC++ Ares
  • The dropped copies in shared folders are compressed using the following compression: zip and rar
  • It also drops copies in shared folders used by torrents: Adobe Photoshop CS4 Extended Nero 9 Reloaded 9.4.26.0 Microsoft Office Enterprise 2007 Microsoft Windows 7 Ultimate Retail(Final) x86 and x64 WinRAR v3.90 Final WinRAR v4.0 Final WinRAR v5.0 Final LimeWire PRO v5.4.6.1 Final WinZip PRO v14.1 WinZip PRO v15.1 WinZip PRO v16.1 Metro 2033 Proper Battlefield Bad Company 2 Just Cause 2 Assassins Creed 2 Mass_Effect_2 The Sims 3 Final BioShock_2 TuneUp.Utilities.2010.v9.0.3100.22-TE Sony Vegas Pro 9.0c Build 896 [32.64 bit] Command & Conquer 4 Tiberian Twilight Retail Counter-Strike 1.6 v.38 Batman.Arkham.Asylum Pro.Evolution.Soccer.2010 Call of Duty 4 Modern Warfare Call of duty 5 World At War Fallout.3.Game.of.the.Year.Edition Diablo 2 + Diablo 2: Lord Of Destruction Grand Theft Auto Vice City Warhammer 40000 Dawn Of War II Chaos Rising Adobe Flash CS4 Professional Pinnacle Studio 14 HD Ultimate Autodesk AutoCAD 2010 Partition Magic 8 ConvertXtoDVD v4.x Mathworks.Matlab.R2010a Alcohol 120 v2.x Adobe Illustrator CS4 DAEMON Tools Pro Advanced 4.x Rosetta.Stone.V.3.3.5.Plus Aliens Vs Predator Proper Dragon Age Origins Need.For.Speed.Shift This worm connects to the following sites to get the IP and geographical location of the infected system: www.whatismyip.com/automation/n09230945.asp http://geoloc.daiguo.com/?self
  • This malware gathers the following information: User Name Computer Name OS Version OS Service Pack Home Drive Drive Serial OS Language System Directory

It connects to the following website to send and receive information:

  • {BLOCKED}e.extasix.com
  • www.{BLOCKED}c0.com
  • {BLOCKED}y.myhome.cx
  • www.{BLOCKED}c0.com.cn