ALS_BURSTED.MJSS

 Analysis by: Jaime Benigno Reyes

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Downloaded from the Internet


This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size:

29,006 bytes

File Type:

LSP

Initial Samples Received Date:

08 May 2014

Payload:

Connects to URLs/IPs, Downloads files

Arrival Details

This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following file(s)/component(s):

  • {Autocad's installation folder}\wdpz.tat

It drops the following copies of itself into the affected system:

  • {Autocad's installation folder}\bakdwg.fas
  • {Autocad's user support folder where acad.dcl is located}\acad.fas

Other System Modifications

This worm modifies the following file(s):

  • {Autocad's user support folder where acad.dcl is located}\acad.mnl

Download Routine

This worm connects to the following website(s) to download and execute a malicious file:

  • http://ysywy.{BLOCKED}8.org/ysy.tmp
  • http://www.{BLOCKED}s.com/hqzxcj/wdzxcj.dat

It saves the files it downloads using the following names:

  • {Autocad's installation folder}\Support\wdzxcj.fas - detected as ALS_BURSTED.MJSU
  • %User Temp%\{random}.tmp

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

NOTES:

This malware sends a PING command to the following sites:

  • ysyping.{BLOCKED}8.org
  • {BLOCKED}.{BLOCKED}.100.100

It propagates by dropping a copy of itself to the folder of the currently opened drawing file (.DWG) as acad.fas.

This malware checks the entries in the following registry key to know if there is an old version of this malware installed in the affected system:

HKEY_CURRENT_USER\Software\KenFiles\settings

It checks the values of the following registry entry:

HKEY_CURRENT_USER\Software\KenFiles\settings
SHXN = ""

If an old version of this malware is found, it deletes the following files under the folder and sub-folders of the Autocad installation and user support folders where acad.dcl is located:

  • acad.fas
  • isomianyi.shx
  • {value of SHXN}.shx

It then deletes the key HKEY_CURRENT_USER\Software\KenFiles\settings.

To enable its automatic execution every time Autocad is opened, it modifies the file acad.mnl inside Autocad user support folder by inserting the following line of codes:

(if(null qxgxwddm) (if(findfile "bakdwg.fas") (load "bakdwg.fas")))

  SOLUTION

Minimum Scan Engine:

9.700

FIRST VSAPI PATTERN FILE:

10.782.03

FIRST VSAPI PATTERN DATE:

08 May 2014

VSAPI OPR PATTERN File:

10.783.00

VSAPI OPR PATTERN Date:

09 May 2014

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Remove malware/grayware files dropped/downloaded by ALS_BURSTED.MJSS. (Note: Please skip this step if the threats listed below have already been removed.)

     
    • ALS_BURSTED.MJSU

Step 3

Search and delete this file

[ Learn More ]
There may be some files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result.
  • {Autocad's installation folder}\wdpz.tat
  • %User Temp%\{random}.tmp

Step 4

Scan your computer with your Trend Micro product to delete files detected as ALS_BURSTED.MJSS. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

NOTES:

Close all sessions of Autocad before you scan your system.

Remove the line of codes that the malware ALS_BURSTED.MJSS added in the file acad.mnl by doing the following:

  1. Open the following file using a text editor such as Notepad:
    {Autocad's user support folder where acad.dcl is located}\acad.mnl
  2. Delete the following entry:
    (if(null qxgxwddm) (if(findfile "bakdwg.fas") (load "bakdwg.fas")))
  3. Save the file then close the text editor.


Did this description help? Tell us how we did.