UMBALD

September 15, 2014
 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

UMBALD is a malware family of worms and backdoors, which can propagate through removable drives. It can also perform various commands from malicious user such as updating/uninstalling itself, uploading, downloading and executing files, and installing/uninstalling plugins.

Most of UMBALD variants drops a copy of itself in Windows directory using a legitimate file name.

This worm executes commands from a remote malicious user, effectively compromising the affected system.

  TECHNICAL DETAILS

Memory Resident:

Yes

Payload:

Connects to URLs/IPs

Installation

This worm drops and executes the following files:

  • %User Profile%\Templates\THEMECPL.exe
  • {malware path}\Plugins\@
  • {drive letter}:\autorun.inf

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

It drops the following copies of itself into the affected system:

  • %Windows%\svchost.exe
  • %Windows%\winsvchost.exe
  • %Application Data%\sparmotz.exe
  • %User Temp%\sppnp.exe
  • {drive letter}:\starter.exe

(Note: %Windows% is the Windows folder, which is usually C:\Windows.. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

Other System Modifications

This worm adds the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
bw8legs

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
umbra

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
rJm3lrm1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
lPugXG43

It adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
bw8legs
UID = "{random}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
umbra
UID = "{random}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
rJm3lrm1
UID = "{random}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
lPugXG43
UID = "{random}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Socks Virtual Host = ""%Windows%\svchost.exe""

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Windows Updater = "%Windows%\winsvchost.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Pdf Updater = ""%Windows%\winsvchost.exe""

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
otstuksrs = "%Application Data%\sparmotz.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Microsoft® Windows® Operating System = "%User Profile%\THEMECPL.exe"

Backdoor Routine

This worm executes the following commands from a remote malicious user:

  • Uninstall Itself
  • Update Itself
  • Download and Execute Files
  • Upload Files
  • Install Plugin
  • Uninstall Plugin

Other Details

This worm connects to the following possibly malicious URL:

  • http://{BLOCKED}x.net/panel/panel/bot.php
  • http://{BLOCKED}dlol.com/panel/panel/bot.php
  • http://{BLOCKED}kosika.com/panel/panel/bot.php
  • http://www.{BLOCKED}davies.net/files/working/100/Panel/bot.php
  • http://{BLOCKED}king.cc/umbra/Panel/bot.php
  • http://{BLOCKED}.{BLOCKED}.238.53/1/Panel2/Panel/bot.php

NOTES:

It drops any of the following folders:

  • %Windows%\Plugins
  • {malware path}\Plugins