arrow_back
search
close

WORM_DELF.FIG

October 09, 2012
 Analysis by: Kathleen Notario
 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

This worm arrives via removable drives. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

It connects to certain websites to send and receive information.

  TECHNICAL DETAILS

File Size:

138,240 bytes

File Type:

EXE

Memory Resident:

Yes

Initial Samples Received Date:

26 Dec 2011

Arrival Details

This worm arrives via removable drives.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following files:

  • %System Root%\RECYCLER\{SID}\Desktop.ini
  • {Removable Drive}:\ReadMe\Desktop.ini

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It drops the following copies of itself into the affected system:

  • %System Root%\RECYCLER\{SID}\nvapbar.exe

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It creates the following folders:

  • %System Root%\RECYCLER\{SID}

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Taskman = %System Root%\RECYCLER\{SID}\nvapbar.exe

Propagation

This worm creates the following folders in all removable drives:

  • ReadMe

It drops the following copy(ies) of itself in all removable drives:

  • {Removable Drive}:\ReadMe\DriveManual.html

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

Other Details

This worm connects to the following website to send and receive information:

  • {BLOCKED}diction.{BLOCKED}sers.com

NOTES:
The said .INF file contains the following strings:

;{garbage characters}
[autorun[
;{garbage characters}
[autorun
;{garbage characters}
open=cmd /c start ""
"README\DriveManual.html"

:jne1
;{garbage characters}
icon=%SystemRoot%\system32\SHELL32.dll,4
;{garbage characters}
action=Open folder to view files using
Windows Explorer
;{garbage characters}
shell\\\open\\\command=cmd /c start ""
"README\DriveManual.html"
useautoplay=1
:call

shell\\explore\\\\command=cmd /c start ""
"README\DriveManual.html"
;{garbage characters}

[AutoRun]
;{garbage characters}