WORM_GERAL


 ALIASES:

Microsoft: Dogrobot, Dogkild; Ikarus: Geral; VBA32: Geral

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Downloaded from the Internet

GERAL (also known as The Robot Dog) is used to terminate security-related applications in order to download and execute other malicious files. As a result, system security is compromised.

  TECHNICAL DETAILS

Memory Resident:

Yes

Payload:

Compromises system security, Terminates processes, Downloads files

Installation

This worm drops the following files:

  • %System%\drivers\TvPlus.sys
  • %System%\drivers\pcidump.sys
  • %System%\jxgamepacik.pak
  • %User Temp%\{random}.exe
  • %Windows%\extext{random}t.exe
  • %Windows%\{random}test.dll
  • %Windows%\{random}text.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.. %Windows% is the Windows folder, which is usually C:\Windows.)

It drops the following copies of itself into the affected system:

  • %System%\scvhost.exe
  • %System%\kav.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)

It creates the following folders:

  • %Program Files%\KAV

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
RsTray = "%System%\scvhost.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
kav = "%System%\kav.exe"

It adds the following Image File Execution Options registry entries to automatically execute itself whenever certain applications are run:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
{application}
{application} = "svchost.exe"

Other System Modifications

This worm adds the following registry keys as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
{application}

Other Details

This worm connects to the following possibly malicious URL:

  • http://{BLOCKED}re.cn/xx8/Count.asp?mac={mac address}&ver={version}&os={OS}
  • http://{BLOCKED}4.cc/2/Count.asp?mac={mac address}&ver={version}&os={OS}
  • http://{BLOCKED}4.cc/7/Count.asp?mac={mac address}&ver={version}&os={OS}
  • http://{BLOCKED}2.{BLOCKED}j.com:18888/57/tj.asp?mac={mac address}&ver={version}&os={OS}&dtime={date}
  • http://{BLOCKED}o.{BLOCKED}2.org:300/up23/Count.asp?mac={mac address}&ver={version}&os={OS}&dtime={date}
  • http://www.{BLOCKED}2432.cn/0001/Count.asp?mac={mac address}&ver={version}&os={OS}
  • http://www.{BLOCKED}2432.cn/0004/Count.asp?mac={mac address}&ver={version}&os={OS}
  • http://{BLOCKED}3.cn/xx8/ttnew.txt
  • http://{BLOCKED}2.cn/0001/ttnew.txt
  • http://{BLOCKED}2.cn/0004/ttnew.txt
  • http://{BLOCKED}z.{BLOCKED}ns.com:18184/c/d.txt
  • http://{BLOCKED}z.{BLOCKED}ns.com:18184/c/host.txt
  • http://{BLOCKED}t.{BLOCKED}8.xicp.cn:300/aas.txt
  • http://{BLOCKED}8.com/xin/host.jpg
  • http://{BLOCKED}8.com/xin/xx2.txt
  • http://{BLOCKED}8.com/xin/xx7.txt