ALS_BURSTED.MJSS
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Worm
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
Downloaded from the Internet
This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
29,006 bytes
LSP
08 May 2014
Connects to URLs/IPs, Downloads files
Arrival Details
This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This worm drops the following file(s)/component(s):
- {Autocad's installation folder}\wdpz.tat
It drops the following copies of itself into the affected system:
- {Autocad's installation folder}\bakdwg.fas
- {Autocad's user support folder where acad.dcl is located}\acad.fas
Other System Modifications
This worm modifies the following file(s):
- {Autocad's user support folder where acad.dcl is located}\acad.mnl
Download Routine
This worm connects to the following website(s) to download and execute a malicious file:
- http://ysywy.{BLOCKED}8.org/ysy.tmp
- http://www.{BLOCKED}s.com/hqzxcj/wdzxcj.dat
It saves the files it downloads using the following names:
- {Autocad's installation folder}\Support\wdzxcj.fas - detected as ALS_BURSTED.MJSU
- %User Temp%\{random}.tmp
(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)
NOTES:
This malware sends a PING command to the following sites:
- ysyping.{BLOCKED}8.org
- {BLOCKED}.{BLOCKED}.100.100
It propagates by dropping a copy of itself to the folder of the currently opened drawing file (.DWG) as acad.fas.
This malware checks the entries in the following registry key to know if there is an old version of this malware installed in the affected system:
HKEY_CURRENT_USER\Software\KenFiles\settings
It checks the values of the following registry entry:
HKEY_CURRENT_USER\Software\KenFiles\settings
SHXN = ""
If an old version of this malware is found, it deletes the following files under the folder and sub-folders of the Autocad installation and user support folders where acad.dcl is located:
- acad.fas
- isomianyi.shx
- {value of SHXN}.shx
It then deletes the key HKEY_CURRENT_USER\Software\KenFiles\settings.
To enable its automatic execution every time Autocad is opened, it modifies the file acad.mnl inside Autocad user support folder by inserting the following line of codes:
(if(null qxgxwddm) (if(findfile "bakdwg.fas") (load "bakdwg.fas")))
SOLUTION
9.700
10.782.03
08 May 2014
10.783.00
09 May 2014
Step 1
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.
Step 2
Remove malware/grayware files dropped/downloaded by ALS_BURSTED.MJSS. (Note: Please skip this step if the threats listed below have already been removed.)
- ALS_BURSTED.MJSU
Step 3
Search and delete this file
- {Autocad's installation folder}\wdpz.tat
- %User Temp%\{random}.tmp
Step 4
Scan your computer with your Trend Micro product to delete files detected as ALS_BURSTED.MJSS. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
NOTES:
Close all sessions of Autocad before you scan your system.
Remove the line of codes that the malware ALS_BURSTED.MJSS added in the file acad.mnl by doing the following:
- Open the following file using a text editor such as Notepad:
{Autocad's user support folder where acad.dcl is located}\acad.mnl - Delete the following entry: (if(null qxgxwddm) (if(findfile "bakdwg.fas") (load "bakdwg.fas")))
- Save the file then close the text editor.
Did this description help? Tell us how we did.