WORM_DELF.SK

This worm arrives by connecting affected removable drives to a system. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It uses Windows Task Scheduler to create a scheduled task that executes the dropped copy.

It executes commands from a remote malicious user, effectively compromising the affected system.

Arrival Details

This worm arrives by connecting affected removable drives to a system.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following component file(s):

• %Application Data%\{folder name}\{filename 2} (also detected as WORM_DELF.SK)
• %Windows%\Tasks\GoogleUpdateTaskUserS-17769-185731846-2809907627-500Core.job (scheduled task)

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.. %Windows% is the Windows folder, which is usually C:\Windows.)

It drops the following copies of itself into the affected system:

• %Application Data%\{folder name}\{filename 1}

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

It uses Windows Task Scheduler to create a scheduled task that executes the dropped copy.

It creates the following folders:

• %Application Data%\{folder name}

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
GuardMailRu = "%Application Data%\{folder name}\{filename 1}"

HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\CurrentVersion\Winlogon
Taskman = "%Application Data%\{folder name}\{filename 1}"

The scheduled task executes the malware every:

• minute

Other System Modifications

This worm adds the following registry entries:

HKEY_CURRENT_USER\Console
fileagain = "filename 1"

HKEY_CURRENT_USER\Console
lib = "filename 2"

HKEY_CURRENT_USER\Console
windir = "folder name"

Propagation

This worm drops the following copy(ies) of itself in all removable drives:

• {removable drive letter}:\Ëè÷íîå.pif

Backdoor Routine

This worm executes the following commands from a remote malicious user:

• download arbitrary files
• perform remote shell commands
• get system information

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• http://{BLOCKED}ol.ru

Information Theft

This worm gathers the following data:

• user name
• drive information
• OS version

NOTES:

filename 1 could be one of the following:

• svshost.com
• svshost.exe
• adwans.exe
• smmsr.exe
• mms.exe
• taskhosts.exe
• winrars.exe
• msi.exe
• conhos.exe
• conime.exe
• bfsvc.exe

filename 2 could be one of the following:

• desktop.ini
• boot.ini
• tmp.tmp
• win.ini
• setup.log
• vclx70.bpl
• win32k.bad
• impact.ksr
• attribyt.lib
• cool.txt
• parabellym.inf

folder name could be one of the following:

• temp
• java
• Boot
• assembly
• AppPatch
• Help
• Media
• Setup
• ru-RU
• winsxs
• migration