BKDR_OTWYCAL
Otwycal, Wowinzi, Cowya
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: File infector
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
CAOLYWA is a file infector with worm capabilities, greatly improving its propagation capability. It spreads across computers by dropping copies of itself in removable drives. It has also been seen distributed via the Internet. In 2008, a compromise led to the download of PE_CAOLYWA.E.
This file infector executes commands from its C&C server. It downloads a text file or a configuration file and executes the commands contained in the said configuration file.
This file infector infects by appending its code to target host files.
It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
It executes commands from a remote malicious user, effectively compromising the affected system.
TECHNICAL DETAILS
Installation
This file infector drops the following copies of itself into the affected system:
- %Windows%\Tasks\0x01xx8p.exe
(Note: %Windows% is the Windows folder, which is usually C:\Windows.)
It drops the following files:
- {drive letter}:\MSDOS.bat
- %Windows%\Tasks\explorer.ext
- %Windows%\Tasks\spoolsv.ext
- %Windows%\Tasks\SysFile.brk
- C:\zzz.sys
(Note: %Windows% is the Windows folder, which is usually C:\Windows.)
File Infection
This file infector infects the following file types:
- . To
- .GHO
- .asp
- .aspx
- .bat
- .cgi
- .cmd
- .do
- .exe
- .htm
- .html
- .jsp
- .php
- .scr
- .shtm
- .shtml
- .xml
It infects by appending its code to target host files.
It avoids infecting folders containing the following strings:
- Program Files
It avoids infecting the following files:
- qq.exe
- QQDoctor.exe
- QQDoctorMain.exe
Propagation
This file infector drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
The said .INF file contains the following strings:
[AutoRun]
open=MSDOS.bat
shell\open={characters}
shell\open\Command=MSDOS.bat
shell\open\Default=1
shell\explore={characters}
shell\explore\Command=MSDOS.bat
Backdoor Routine
This file infector executes the following commands from a remote malicious user:
- Access sites
- Download and execute files
- Infect files
- Spread itself via removable drives
Process Termination
This file infector terminates the following processes if found running in the affected system's memory:
- avp.exe
- kvsrvxp.exe
- kissvc.exe
Download Routine
This file infector connects to the following URL(s) to download its configuration file:
- http://c.{BLOCKED}m.com/config.txt
- http://w.{BLOCKED}b.cn/config.txt
- http://x.{BLOCKED}1.net/x.txt
It saves the files it downloads using the following names:
- %System%\windows.txt
(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)