arrow_back
search
close

WORM_RENOCIDE.DW

October 09, 2012
 Analysis by: Sabrina Lei Sioting
 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW


This worm arrives by connecting affected removable drives to a system. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

  TECHNICAL DETAILS

File Size:

940,890 bytes

File Type:

EXE

Memory Resident:

No

Initial Samples Received Date:

10 Apr 2012

Arrival Details

This worm arrives by connecting affected removable drives to a system.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following copies of itself into the affected system:

  • %System%\38653843.exe
  • %System%\csrcs.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It terminates the execution of the copy it initially executed and executes the copy it drops instead.

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
Explorer\Run
csrcs = "%System%\csrcs.exe"

It modifies the following registry entries to ensure it automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Shell = "Explorer.exe csrcs.exe"

(Note: The default value data of the said registry entry is Explorer.exe.)

Other System Modifications

This worm adds the following registry entries as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
DRM\amty
ilop = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
DRM\amty
fix = ""

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
DRM\amty
fix1 = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
DRM\amty
exp1 = "{random hex}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
DRM\amty
dreg = "{random hex}"

It adds the following registry keys as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
DRM\amty

Propagation

This worm drops the following copy(ies) of itself in all removable drives:

  • {random}.exe

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

;{garbage characters}
[AuTOrUn
;{garbage characters}
open={random}.exe
;{garbage characters}
shell\open\Command={random}.exe
;{garbage characters}
shell\open\Default=1
;{garbage characters}

Other Details

This worm connects to the following URL(s) to get the affected system's IP address:

  • http://www.whatismyip.com/automation/n09230945.asp

It connects to the following possibly malicious URL:

  • http://{BLOCKED}fdone.com:4800/po.php
  • http://{BLOCKED}fdone.com:4800/banner.gif
  • http://{BLOCKED}.19.236:4700/fruits.htm

NOTES:
It accesses the following torrent sites:

  • http://thepiratebay.org/top/401
  • http://thepiratebay.se/top/401
  • http://isohunt.com/torrents/?iht=4&ihs1=2&age=0