WORM_PATCH.RL

October 09, 2012
 Analysis by: Michael Cabel
 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Via physical/removable drives

This worm arrives via removable drives. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It modifies registry entries to hide files with System and Read-only attributes. It creates certain registry entries to prevent execution of files with certain file types.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

  TECHNICAL DETAILS

File Size:

361,294 bytes

Memory Resident:

Yes

Initial Samples Received Date:

27 Jul 2009

Payload:

Drops files

Arrival Details

This worm arrives via removable drives.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following copies of itself into the affected system:

  • %Application Data%\java\?shimgvw?.exe
  • %Application Data%\java\?jview?.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{Host Name}? = "%Application Data%\java\?shimgvw?.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
jre? = %Application Data%\java\?jview?.exe

Other System Modifications

This worm adds the following registry entries as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
EnableLUA = 0

HKEY_CURRENT_USER\Control Panel\Desktop
AutoEndTasks = 1

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
EnableLUA = 0

HKEY_CLASSES_ROOT\exefile
NeverShowExt = ""

HKEY_CLASSES_ROOT\jpegfile
NeverShowExt = ""

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AntiVirusOverridex = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AntiVirusDisableNotify = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirewallDisableNotify = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirewallOverride = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
UpdatesDisableNotify = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
UacDisableNotify = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirstRunDisabledx = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
AntiVirusOverride = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
AntiVirusDisableNotify = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
FirewallDisableNotify = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
FirewallOverride = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
UpdatesDisableNotify = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
UacDisableNotify = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
FirstRunDisabled = 1

It modifies the following registry key(s)/entry(ies) as part of its installation routine:

HKEY_CURRENT_USER\Control Panel\Desktop
AutoEndTasks = "1"

(Note: The default value data of the said registry entry is "0".)

HKEY_CURRENT_USER\Control Panel\Desktop
HungAppTimeout = "400"

(Note: The default value data of the said registry entry is "5000".)

HKEY_CURRENT_USER\Control Panel\Desktop
WaitToKillAppTimeout = "400"

(Note: The default value data of the said registry entry is "20000".)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control
WaitToKillServiceTimeout = "2000"

(Note: The default value data of the said registry entry is "20000".)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\SystemRestore
DisableSR = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
jpegfile\DefaultIcon
(default) = "%Application Data%\java\{Random Character}shimgvw.exe{Random Character},0"

(Note: The default value data of the said registry entry is "%SystemRoot%\System32\imageres.dll,-72".)

It modifies the following registry entries to hide files with System and Read-only attributes:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced\Folder\SuperHidden
UncheckedValue = 0

(Note: The default value data of the said registry entry is 1.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = 0

(Note: The default value data of the said registry entry is 1.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced\Folder\HideFileExt
DefaultValue = 1

(Note: The default value data of the said registry entry is 2.)

It creates the following registry entries to prevent execution of files with certain file types:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
{Application Name}
Debugger = "cmd.exe /c del /f /q "

Where {application name} may be any of the following:

  • EHttpSrv.exe
  • Nbrowser.exe
  • New Folder.exe
  • Njeeves.exe
  • Nvcoa.exe
  • SSCVIHOST.exe
  • ansavgd
  • autorunme.exe
  • blastclnn.exe
  • blastclnnn.exe
  • egui.exe
  • ekrn.exe
  • ise32.exe
  • nod32.exe
  • nod32krn.exe
  • nod32kui.exe
  • npc_login.exe
  • npc_tray.exe
  • npcsvc32.exe
  • npflgutl.exe
  • npfports.exe
  • npfrules.exe
  • npfsvc32.exe
  • npfuser.exe
  • npfwiz.exe
  • nprosec.exe
  • nuaa.exe
  • nvcsched.exe
  • nvoy.exe
  • reg32.exe
  • rtpsvc.exe
  • scsaver.exe

Propagation

This worm drops the following copy(ies) of itself in all removable drives:

  • {Drive Letter}:\RÈCYCLER\thumbs.db

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

;{garbage}
[Autorun]
;{garbage}
UseAutoPlay=1
;{garbage}
Action=Open folder to view files
;{garbage}
Open=RÈCYCLER\thumbs.db
;{garbage}
Shell\Open\Default=1
;{garbage}
Shell\Explore\Command=RÈCYCLER\thumbs.db
;{garbage}

NOTES:

It also creates the following registry entries to prevent certain applications from running:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\{Application Name}
Debugger = "rundll32.exe"

Where {Applciation Name} may be any of the following

  • MSASCui.exe
  • attrib.exe
  • cscript.exe
  • wscript.exe

It also searches for .ZIP files in removable drives. It then adds a copy of itself in the files found.

It creates a folder named RÈCYCLER in the following folder which is the Microsoft CD Burning folder:

  • %Application Data%\Microsoft\CD Burning

It then drops a copy of itself in the said folder as "thumbs.db". It also drops an AUTORUN.INF file in the above mentioned folder. If a user uses the Microsoft CD burning feature to burn files to a CD, the added files, including a copy of itself are also burned to the CD.

  SOLUTION

Minimum Scan Engine:

9.200

FIRST VSAPI PATTERN FILE:

6.318.04

FIRST VSAPI PATTERN DATE:

27 Jul 2009

VSAPI OPR PATTERN File:

6.319.00

VSAPI OPR PATTERN Date:

27 Jul 2009

Step 1

For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

Step 2

Scan your computer with your Trend Micro product and note files detected as WORM_PATCH.RL

Step 3

Terminate a process file/s detected as WORM_PATCH.RL

[ Learn More ]

*Note: If the detected file/s is/are not displayed in theWindows Task Manager, continue doing the next steps.

Step 4

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    • {Host Name}? = "%Application Data%\java\?shimgvw?.exe"
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    • jre? = %Application Data%\java\?jview?.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
    • EnableLUA = 0
  • In HKEY_CURRENT_USER\Control Panel\Desktop
    • AutoEndTasks = 1
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
    • EnableLUA = 0
  • In HKEY_CLASSES_ROOT\exefile
    • NeverShowExt = ""
  • In HKEY_CLASSES_ROOT\jpegfile
    • NeverShowExt = ""
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
    • AntiVirusOverridex = 1
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
    • AntiVirusDisableNotify = 1
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
    • FirewallDisableNotify = 1
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
    • FirewallOverride = 1
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
    • UpdatesDisableNotify = 1
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
    • UacDisableNotify = 1
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
    • FirstRunDisabledx = 1

Step 5

Restore this modified registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\jpegfile\DefaultIcon
    • From: (default) = "%Application Data%\java\{Random Character}shimgvw.exe{Random Character},0"
      To: (default) = "%SystemRoot%\System32\imageres.dll,-72"
  • In HKEY_CURRENT_USER\Control Panel\Desktop
    • From: AutoEndTasks = "1"
      To: AutoEndTasks = "0"
  • In HKEY_CURRENT_USER\Control Panel\Desktop
    • From: HungAppTimeout = "400"
      To: HungAppTimeout = "5000"
  • In HKEY_CURRENT_USER\Control Panel\Desktop
    • From: WaitToKillAppTimeout = "400"
      To: WaitToKillAppTimeout = "20000"
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
    • From: WaitToKillServiceTimeout = "2000"
      To: WaitToKillServiceTimeout = "20000"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
    • From: DisableSR = 1
      To: DisableSR = 0
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
    • From: UncheckedValue = 0
      To: UncheckedValue = 1
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    • From: ShowSuperHidden = 0
      To: ShowSuperHidden = 1
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt
    • From: DefaultValue = 1
      To: DefaultValue = 2

Step 6

Delete this registry key

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
    • Svc
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • {Application Name}

Step 7

Search and delete AUTORUN.INF files created by WORM_PATCH.RL that contain these strings

[ Learn More ]
;{garbage}
[Autorun]
;{garbage}
UseAutoPlay=1
;{garbage}
Action=Open folder to view files
;{garbage}
Open=RÈCYCLER\thumbs.db
;{garbage}
Shell\Open\Default=1
;{garbage}
Shell\Explore\Command=RÈCYCLER\thumbs.db
;{garbage}

Step 8

Search and delete this folder

[ Learn More ]
Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden folders in the search result. %Application Data%\Microsoft\CD Burning\RÈCYCLER
{Drive Letter}:\RÈCYCLER\thumbs.db

Step 9

Scan your computer with your Trend Micro product to delete files detected as WORM_PATCH.RL. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.