ALIASES:

Otwycal, Wowinzi, Cowya

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: File infector

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel: Infects files, Propagates via removable drives

CAOLYWA is a file infector with worm capabilities, greatly improving its propagation capability. It spreads across computers by dropping copies of itself in removable drives. It has also been seen distributed via the Internet. In 2008, a compromise led to the download of PE_CAOLYWA.E.

This file infector executes commands from its C&C server. It downloads a text file or a configuration file and executes the commands contained in the said configuration file.

This file infector infects by appending its code to target host files.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

It executes commands from a remote malicious user, effectively compromising the affected system.

  TECHNICAL DETAILS

Memory Resident: Yes
Payload: Compromises system security, Connects to URLs/IPs

Installation

This file infector drops the following copies of itself into the affected system:

  • %Windows%\Tasks\0x01xx8p.exe

(Note: %Windows% is the Windows folder, which is usually C:\Windows.)

It drops the following files:

  • {drive letter}:\MSDOS.bat
  • %Windows%\Tasks\explorer.ext
  • %Windows%\Tasks\spoolsv.ext
  • %Windows%\Tasks\SysFile.brk
  • C:\zzz.sys

(Note: %Windows% is the Windows folder, which is usually C:\Windows.)

File Infection

This file infector infects the following file types:

  • . To
  • .GHO
  • .asp
  • .aspx
  • .bat
  • .cgi
  • .cmd
  • .do
  • .exe
  • .htm
  • .html
  • .jsp
  • .php
  • .scr
  • .shtm
  • .shtml
  • .xml

It infects by appending its code to target host files.

It avoids infecting folders containing the following strings:

  • Program Files

It avoids infecting the following files:

  • qq.exe
  • QQDoctor.exe
  • QQDoctorMain.exe

Propagation

This file infector drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

[AutoRun]

open=MSDOS.bat

shell\open={characters}

shell\open\Command=MSDOS.bat

shell\open\Default=1

shell\explore={characters}

shell\explore\Command=MSDOS.bat

Backdoor Routine

This file infector executes the following commands from a remote malicious user:

  • Access sites
  • Download and execute files
  • Infect files
  • Spread itself via removable drives

Process Termination

This file infector terminates the following processes if found running in the affected system's memory:

  • avp.exe
  • kvsrvxp.exe
  • kissvc.exe

Download Routine

This file infector connects to the following URL(s) to download its configuration file:

  • http://c.{BLOCKED}m.com/config.txt
  • http://w.{BLOCKED}b.cn/config.txt
  • http://x.{BLOCKED}1.net/x.txt

It saves the files it downloads using the following names:

  • %System%\windows.txt

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)