PE_PAGIPEF.CA

 Analysis by: Sabrina Lei Sioting

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: File infector

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

This file infector arrives by connecting affected removable drives to a system. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It deletes registry keys related to antivirus programs. Doing this allows this malware to execute its routines without being detected by installed antivirus programs.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

  TECHNICAL DETAILS

File Size:

222,732 bytes

File Type:

EXE

Memory Resident:

Yes

Initial Samples Received Date:

05 Mar 2009

Arrival Details

This file infector arrives by connecting affected removable drives to a system.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This file infector drops the following copies of itself into the affected system:

  • %System%\com\lsass.exe
  • {Malware path}\{malware name}.exe.log

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Other System Modifications

This file infector modifies the following registry entries to hide files with Hidden attributes:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = "0"

(Note: The default value data of the said registry entry is 1.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced\Folder\SuperHidden
Type = "radio"

(Note: The default value data of the said registry entry is checkbox.)

It deletes the following registry keys related to antivirus and security applications:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows\Safer

Propagation

This file infector drops the following copy(ies) of itself in all removable drives:

  • pagefile.pif

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

[AutoRun]
open=pagefile.pif
shell\open=´ò¿ª(&O)
shell\open\Command=pagefile.pif
shell\open\Default=1
shell\explore=×ÊÔ´¹ÜÀíÆ÷(&X)
shell\explore\Command=pagefile.pif

Dropping Routine

This file infector drops the following files:

  • %System Root%\NetApi000.sys
  • %System%\com\smss.exe
  • %System%\com\netcfg.000
  • %System%\com\netcfg.dll

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Other Details

This file infector connects to the following possibly malicious URL:

  • http://js.{BLOCKED}2.com/go.asp
  • http://jj.{BLOCKED}y.net/html/qb2.html

NOTES:

It deletes the following registry keys to disable system startup in safe mode:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Minimal\
{4D36E967-E325-11CE-BFC1-08002BE10318}

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot\Minimal\
{4D36E967-E325-11CE-BFC1-08002BE10318}

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
{4D36E967-E325-11CE-BFC1-08002BE10318}