WORM_GRAYBIRD


 ALIASES:

Delf, Emerleox, Logsnif, Graybird, Pcclient

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Downloaded from the Internet, Dropped by other malware

The HUPIGON malware family consists of backdoors. These are usually dropped by other malware onto a system or are downloaded unknowingly by users when visiting malicious sites. HUPIGON variants may drop several files or copies of themselves.

HUPIGON variants open ports or connect to servers to allow remote users to connect to the affected system. Once a successful connection is established, the remote user executes commands on the system, such as to delete files and folders, download and execute files, and terminate processes.

Variants may also gather information about the affected system. They can also steal information such as logged keystrokes, passwords, and other user credentials.

  TECHNICAL DETAILS

Memory Resident:

Yes

Payload:

Connects to URLs/IPs

Installation

This worm drops the following files:

  • %System%\IEXPL0RER.bat
  • %System%\pchsvc.dll
  • %System%\Sysclt.dll
  • %System%\Systen.dll
  • %Windows%\{random}.dat
  • %Windows%\{random}.dll

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.. %Windows% is the Windows folder, which is usually C:\Windows.)

It drops the following copies of itself into the affected system:

  • %System%\pchsvc.dll
  • %Program Files%\Common Files\Microsoft Shared\MSInfo\Stemp.exe
  • %System%\IEXPL0RER.EXE
  • %Windows%\Hacker.com.cn.ini

Other System Modifications

This worm adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon\
Notify\BITS
Asynchronous = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon\
Notify\BITS
Impersonate = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon\
Notify\BITS
DllName = "%System%\Systen.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon\
Notify\BITS
Startup = "ServiceMain"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%System%\winlogon.exe = "%System%\winlogon.exe:*:Enabled:Thunder"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon\
Notify\TrkWks
Asynchronous = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon\
Notify\TrkWks
Impersonate = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon\
Notify\TrkWks
DllName = "%System%\Sysclt.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon\
Notify\TrkWks
Startup = "ServiceMain"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\NTDISK Driver Extension
ImagePath = ""%System%\IEXPL0RER.EXE " /service"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\NTDISK Driver Extension
Type = "110"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\NTDISK Driver Extension
Start = "2"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\NTDISK Driver Extension
ErrorControl = "0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\NTDISK Driver Extension
DisplayName = "NTDISK Instrumentation Driver Extensions"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\NTDISK Driver Extension
ObjectName = "LocalSystem"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\NTDISK Driver Extension
Description = "BlackHole Remote Control Service"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Oogical Kisk Manager Administrative Service
ImagePath = "%Program Files%\Common Files\Microsoft Shared\MSInfo\Stemp.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Oogical Kisk Manager Administrative Service
Type = "110"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Oogical Kisk Manager Administrative Service
Start = "2"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Oogical Kisk Manager Administrative Service
ErrorControl = "0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Oogical Kisk Manager Administrative Service
DisplayName = "Oogical Kisk Manager Administrative Service"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Oogical Kisk Manager Administrative Service
ObjectName = "LocalSystem"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Windows XP Vista
ImagePath = "%Windows%\Hacker.com.cn.ini"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Windows XP Vista
Type = "110"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Windows XP Vista
Start = "2"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Windows XP Vista
ErrorControl = "0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Windows XP Vista
DisplayName = "Windows XP Vista"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Windows XP Vista
ObjectName = "LocalSystem"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\helpsvc\Parameters
ServiceMain = "ServiceMain"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%System%\svchost.exe = "%System%\svchost.exe:*:Enabled:Thunder"

It adds the following registry keys as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Tencent\
QQ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon\
Notify\BITS

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon\
Notify\TrkWks

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\NTDISK Driver Extension

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Oogical Kisk Manager Administrative Service

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Windows XP Vista

It modifies the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\helpsvc\Parameters
ServiceDll = "%System%\pchsvc.dll"

(Note: The default value data of the said registry entry is %Windows%\PCHealth\HelpCtr\Binaries\pchsvc.dll.)

Other Details

This worm connects to the following possibly malicious URL:

  • baobao550.{BLOCKED}8.net
  • dico666.go.{BLOCKED}2.org
  • gang0007.go.{BLOCKED}2.org
  • hkago.{BLOCKED}2.org
  • kaihai520.go3.{BLOCKED}n.com
  • kuaihuo128.go1.{BLOCKED}n.com
  • sixup.{BLOCKED}2.org
  • sixup.go.{BLOCKED}2.org
  • user.free.{BLOCKED}9.net
  • vip2.{BLOCKED}3.com
  • waxy.go3.{BLOCKED}n.com
  • www.{BLOCKED}b.net
  • www.{BLOCKED}i.cn
  • xiaolidong.{BLOCKED}p.net
  • xiaolidong1.go.{BLOCKED}2.org