search

WORM_SPYBOT.BUQ

November 25, 2013
 Analysis by: Andrei Castillo
 ALIASES:

W32/Sality.AA(Fortinet), Virus:Win32/Sality.AM(Microsoft), Win32/Sality.NAR virus(NOD32), W32/Autorun.worm.ev(McAfee)

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW


This worm arrives via removable drives. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It adds certain registry entries to disable the Task Manager. This action prevents users from terminating the malware process, which can usually be done via the Task Manager.

It drops copies of itself in removable drives. These dropped copies use the names of the folders located on the said drives for their file names. It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

It modifies the Internet Explorer Zone Settings.

  TECHNICAL DETAILS

File Size:

1,470,908 bytes

File Type:

EXE

Initial Samples Received Date:

12 Sep 2012

Arrival Details

This worm arrives via removable drives.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following files:

  • {removable drive letter}:\lbmxc.cmd
  • %System%\{random folder name}\{malware filename}.exe
  • %System%\{random folder name}\{random filename}.{random extensions}
  • %Windows%\LastGood\INF\oem13.inf
  • %Windows%\LastGood\INF\oem13.PNF
  • %Windows%\inf\oem13.inf
  • %Windows%\inf\oem13.PNF

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.. %Windows% is the Windows folder, which is usually C:\Windows.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKLM\Software\Microsoft\
Windows\CurrentVersion\Run
{malware filename} = "%System%\{random number}\{malware filename}.exe

It drops the following file(s) in the Windows Startup folder to enable its automatic execution at every system startup:

  • {malware filename}.lnk

Other System Modifications

This worm adds the following registry keys:

HKCU\Software\{username}{random numbers}

HKCU\Software\Microsoft\
Windows\CurrentVersion\Policies\
system

It modifies the following registry keys:

HKCU\Software\Microsoft\
Windows\CurrentVersion\Policies\
system
DisableRegistryTools = "1"

(Note: The default value data of the said registry entry is "0".)

HKLM\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
EnableLUA = "0"

(Note: The default value data of the said registry entry is "1".)

HKLM\SYSTEM\ControlSet001\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
Enablefirewall = "0"

(Note: The default value data of the said registry entry is "1".)

HKLM\SYSTEM\ControlSet001\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
DoNotAllowExceptions = "0"

(Note: The default value data of the said registry entry is "1".)

It adds the following registry entries to disable the Task Manager:

HKCU\Software\Microsoft\
Windows\CurrentVersionPolicies\system
DisableTaskMgr = "1"

It modifies the following registry entries to hide files with Hidden attributes:

HKCU\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Hidden = "2"

It creates the following registry entry(ies) to bypass Windows Firewall:

HKLM\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
{application path and filename} = "{application path and filename}:*:Enabled:ipsec"

It deletes the following registry keys:

HKLM\SYSTEM\CurrentControlSet\
Control\SafeBoot

HKLM\SYSTEM\CurrentControlSet\
Services\ALG

Propagation

This worm drops copies of itself in removable drives. These dropped copies use the names of the folders located on the said drives for their file names.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

It infects files of the following file type(s) in network shares, ensuring its propagation across the network:

  • EXE

Web Browser Home Page and Search Page Modification

This worm modifies the Internet Explorer Zone Settings.

Other Details

This worm connects to the following possibly malicious URL:

  • http://ahmed2981982.{BLOCKED}e.com
  • http://{BLOCKED}amui.com
  • http://www.{BLOCKED}amui.com
  • http://lyceumbv.{BLOCKED}z.cz
  • http://e.{BLOCKED}z.cz
  • http://{BLOCKED}lic.net
  • http://{BLOCKED}p.net
  • http://{BLOCKED}oe.net
  • http://www.{BLOCKED}lcrossing.com
  • http://towlie123.to.{BLOCKED}c.de
  • http://www.{BLOCKED}l.de

NOTES:

This worm deletes existing AUTORUN.INF on removable drives connected to the affected system and replace it with an AUTORUN.INF which executes the copy it dropped on the drive.