WORM_SCAR.TF

October 08, 2012
 Analysis by: kathleenno
 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Copies itself in all available physical drives, Propagates via removable drives

This worm drops copies of itself in all removable drives. It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

It connects to a website to send and receive information.

  TECHNICAL DETAILS

File Size:

153,575 bytes

File Type:

EXE

Memory Resident:

Yes

Initial Samples Received Date:

27 Apr 2011

Payload:

Compromises system security

Installation

This worm drops the following copies of itself into the affected system:

  • %User Temp%\dovq~.exe

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
WinC = %User Temp%\dovq~.exe

Other System Modifications

This worm adds the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%User Temp%\dovq~.exe = %User Temp%\dovq~.exe:*:Enabled:Windows Live 2010

It modifies the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Hidden = 2

(Note: The default value data of the said registry entry is 1.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
HideFileExt = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = 0

(Note: The default value data of the said registry entry is 1.)

Propagation

This worm drops copies of itself in all removable drives.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

[autorun]
open=ESPFOLDER.exe
shell\open=abrir
shell\open\Command="ESPFOLDER.exe -e"
shell\explore=explorar
shell\explore\Command="ESPFOLDER.exe -e"

Backdoor Routine

This worm connects to the following websites to send and receive information:

  • http://{BLOCKED}os.multimania.es/v77/MYC/CT/sv.php

NOTES:

It searches for folders in all physical and removable drives then drop copies of itself as {folder name}.exe. It then sets the attribute of the original folder to Hidden and System to trick users into thinking that the dropped copy is the legitimate folder.