WORM_ELVI.A

This worm may be unknowingly downloaded by a user while visiting malicious websites.

It drops copies of itself in removable drives. These dropped copies use the names of the folders located on the said drives for their file names.

It executes commands from a remote malicious user, effectively compromising the affected system. However, as of this writing, the said sites are inaccessible.

Arrival Details

This worm may be unknowingly downloaded by a user while visiting malicious websites.

Installation

This worm drops the following copies of itself into the affected system:

• %User Startup%\skype.exe

(Note: %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, and C:\Documents and Settings\{User name}\Start Menu\Programs\Startup.)

It drops the following copies of itself into the affected system and executes them:

• %ProgramData%\skype.exe

(Note: %ProgramData% is the Program Data folder, where it usually is C:\Program Files in Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\ProgramData in Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It drops the following files:

• %ProgramData%\skype.exe.ini

(Note: %ProgramData% is the Program Data folder, where it usually is C:\Program Files in Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\ProgramData in Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• programdataskype.exe

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
skype.exe = %ProgramData%\skype.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
skype.exe = %ProgramData%\skype.exe

Propagation

This worm drops copies of itself in removable drives. These dropped copies use the names of the folders located on the said drives for their file names.

Backdoor Routine

This worm opens the following port(s) where it listens for remote commands:

• 1888

It executes the following commands from a remote malicious user:

• DL - Downloads and executes the file. The file will be located in %Temp% folder.
• up - Download and executes the latest version of the malware. Uninstall the previous version.
• ex - Executes a file
• cmd - Perform a remote shell
• pwd - Get specific stored credentials from system then send to C&C server. (e.g. FileZilla, Google Chrome, and NO-IP Dynamic DNS Service)
• un - Uninstall itself from the system

(Note: %Temp% is the Windows temporary folder, where it usually is C:\Windows\Temp on all Windows operating system versions.)

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• http://saadabd.{BLOCKED}p.biz

It posts the following information to its command and control (C&C) server:

• Removable Devices present
• Serial number of %System Root%
• Malware Version
• OS Service Pack
• OS Version
• Title of active windows
• ID of currently logged on user
• Computer's network name
• Malware Name

(Note: %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.)

However, as of this writing, the said sites are inaccessible.

NOTES:

This worm disable File Security Checks using the code snippet:

• $env: SEE_MASK_NOZONECHECKS = 1

This worm bypasses the Windows Firewall by using netsh.exe:

• netsh firewall add allowedprogram %ProgramData%\skype.exe, skype.exe, ENABLE

This worm connects to the C&C server and waits for commands, if no commands were received it will send data every three seconds with the following template:

• lv{delimiter}{malware name}_{%SystemRoot% serial number}{delimiter}{Computer Name}{delimiter}{UserName}{delimiter}””{delimiter}{OS Version}{x86 or x64}{OS Service Pack}{delimiter}{worm version}{delimiter}{if removable media exists, Y or N}{delimiter}--

where delimiter = 0njxq80.

This worm propagates in removable media with at least 1024 megabytes disk space. It drops a copy of itself in the removable media and set it to 'Hidden'.

It creates a My Pictures folder if it did not exist in the removable media then it will set it to 'Hidden'.

It also drops shortcut files (.LNK) pointing to the copy of itself in removable drives. These dropped .LNK files use the names of the folders located on the said drives for their file names. It then sets the attributes of the original folders to Hidden to trick the user into clicking the .LNK files.