Analysis by: Christopher Daniel So
 Modified by: Sabrina Lei Sioting
 PLATFORM:

Windows 98, ME, NT, 2000, XP, Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: File infector

  • Destructiveness: Yes

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

Infection Channel: Infects files, Propagates via removable drives, Downloaded from the Internet, Dropped by other malware

This File infector arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It infects by appending its code to target host files.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

It deletes itself after execution.

  TECHNICAL DETAILS

File Size: Varies
File Type: PE
Memory Resident: Yes
Initial Samples Received Date: 26 Jul 2011
Payload: Disables services, Drops files, Modifies HOSTS file

Arrival Details

This File infector arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This File infector drops the following files:

  • %System Root%\Documents and Settings\Infotmp.txt

(Note: %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.)

It injects itself into the following processes as part of its memory residency routine:

  • svchost.exe

Other System Modifications

This File infector adds the following registry entries as part of its installation routine:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_{Service name}\
000
Service = "{Service name}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
{Application name}
Debugger = "ntsd -d"

It adds the following registry keys as part of its installation routine:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_{Service name}

It deletes the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\AppMgmt
=

Where {application name} may be any of the following:

  • 360SoftMgrSvc.exe
  • 360hotfix.exe
  • 360rp.exe
  • 360rpt.exe
  • 360safe.exe
  • 360safebox.exe
  • 360sd.exe
  • 360se.exe
  • 360speedld.exe
  • 360tray.exe
  • CCenter.exe
  • KVMonXP.kxp
  • KVSrvXP.exe
  • MPMon.exe
  • MPSVC.exe
  • MPSVC1.exe
  • MPSVC2.exe
  • McNASvc.exe
  • McProxy.exe
  • McSACore.exe
  • Mcagent.exe
  • Mcods.exe
  • Mcshield.exe
  • MpfSrv.exe
  • RavMonD.exe
  • RavTask.exe
  • RsAgent.exe
  • RsTray.exe
  • ScanFrm.exe
  • SfCtlCom.exe
  • TMBMSRV.exe
  • TmProxy.exe
  • UfSeAgnt.exe
  • ast.exe
  • avcenter.e
  • avgnt.exe
  • avguard.exe
  • avmailc.exe
  • avp.exe
  • avwebgrd.exe
  • bdagent.exe
  • ccSvcHst.exe
  • egui.exe
  • ekrn.exe
  • kavstart.exe
  • kissvc.exe
  • kmailmon.exe
  • kpfw32.exe
  • kpfwsvc.exe
  • krnl360svc.exe
  • kswebshield.exe
  • kwatch.exe
  • livesrv.exe
  • mcmscsvc.exe
  • mcsysmon.exe
  • mcvsshld.exe
  • msksrver.exe
  • qutmserv.exe
  • rsnetsvr.exe
  • safeboxTray.exe
  • sched.exe
  • seccenter.exe
  • vsserv.exe
  • zhudongfangyu.exe

File Infection

This File infector infects the following file types:

  • .EXE
  • .EXE files inside a .RAR

It infects the following file types in shared networks to ensure its propagation:

  • .EXE
  • .EXE files inside .RAR

It infects by appending its code to target host files.

It avoids infecting folders containing the following strings:

  • ComPlus Applications
  • Common Files
  • Documents and Settings
  • InstallShield Installation Information
  • Internet Explorer
  • MSN Gaming Zone
  • Messenger
  • Microsoft frontpage
  • Movie Maker
  • NetMeeting
  • Outlook Express
  • RECYCLER
  • System Volume Information
  • Thunder
  • Thunder Network
  • WINDOWS
  • WinNT
  • WinRAR
  • Windows Media Player
  • Windows NT
  • WindowsUpdate

Propagation

This File infector creates the following folders in all removable drives:

  • recycle.{645FF040-5081-101B-9F08-00AA002F954E}

It drops the following copy(ies) of itself in all removable drives:

  • recycle.{645FF040-5081-101B-9F08-00AA002F954E}\Setup.exe

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

[autorun]
OPEN=recycle.{645FF040-5081-101B-9F08-00AA002F954E}\Setup.exe
shell\open=´ò¿ª(&O)
shell\open\Command=recycle.{645FF040-5081-101B-9F08-00AA002F954E}\Setup.exe Show
shell\open\Default=1//
shell\explore=×ÊÔ´¹ÜÀíÆ÷(&X)
shell\explore\Command=recycle.{645FF040-5081-101B-9F08-00AA002F954E}\Setup.exe Show

Dropping Routine

This File infector drops the following files:

HOSTS File Modification

This File infector overwrites the HOSTS file in the following locations:

  • %System%\drivers\etc\host (On Windows 2000, XP, and Server 2003)

Other Details

This File infector deletes itself after execution.

NOTES:

This file infector disables Windows System File Checker (SFC).

It attempts to stop the following services and replace them with the copy of itself. The file name of the copy will base on the filename of the service being replaced:

  • 6to4 (6to4.dll)
  • AppMgmt (appmgmts.dll)
  • BITS (qmgr.dll)
  • Browser (browser.dll)
  • CryptSvc (cryptsvc.dll)
  • EventSystem (es.dll)
  • FastUserSwitchingCompatibility (shsvcs.dll)
  • helpsvc (pchsvc.dll)
  • Ias (ias.dll)
  • Iprip (iprip.dll)
  • Irmon (irmon.dll)
  • Netman (netman.dll)
  • Nla (mswsock.dll)
  • Ntmssvc (ntmssvc.dll)
  • NWCWorkstation (NWCWorkstation.dll)
  • Nwsapagent (Nwsapagent.dll)
  • RemoteRegistry (regsvc.dll)
  • Schedule (schedsvc.dll)
  • SSDPSRV (ssdpsrv.dll)
  • Tapisrv (tapisrv.dll)
  • upnphost (upnphost.dll)
  • WmdmPmSN (mspmsnsv.dll)
  • WmdmPmSp (WmdmPmSp.dll)
  • xmlprov (xmlprov.dll)

The service names mentioned above are used in the creation of the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_{Service name}

  SOLUTION

Minimum Scan Engine: 8.900
FIRST VSAPI PATTERN FILE: 8.312.09
FIRST VSAPI PATTERN DATE: 26 Jul 2011
VSAPI OPR PATTERN File: 8.313.00
VSAPI OPR PATTERN Date: 27 Jul 2011

Step 1

Before doing any scans, Windows 7, Windows 8, Windows 8.1, and Windows 10 users must disable System Restore to allow full scanning of their computers.

Step 2

Remove the malware/grayware file dropped/downloaded by PE_PIKORAV.SM-O. (Note: Please skip this step if the threat(s) listed below have already been removed.)

    RTKT_AGENT.SMB

Step 3

Restart in Safe Mode

[ Learn More ]

Step 4

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{Application name}
    • Debugger = "ntsd -d"

Step 5

Delete this registry key

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry. Before you could do this, you must restart in Safe Mode. For instructions on how to do this, you may refer to this page If the preceding step requires you to restart in safe mode, you may proceed to edit the system registry.

  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root
    • LEGACY_{Service name}

Step 6

Restore this deleted registry key/value from backup

*Note: Only Microsoft-related keys/values will be restored. If the malware/grayware also deleted registry keys/values related to programs that are not from Microsoft, please reinstall those programs on your computer.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmt

Step 7

Search and delete these folders

[ Learn More ]
Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden folders in the search result. {drive letter}\recycle.{645FF040-5081-101B-9F08-00AA002F954E}

Step 8

Search and delete this file

[ Learn More ]
There may be some files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result. %System Root%\Documents and Settings\Infotmp.txt

Step 9

Search and delete AUTORUN.INF files created by PE_PIKORAV.SM-O that contain these strings

[ Learn More ]
[autorun]
OPEN=recycle.{645FF040-5081-101B-9F08-00AA002F954E}\Setup.exe
shell\open=´ò¿ª(&O)
shell\open\Command=recycle.{645FF040-5081-101B-9F08-00AA002F954E}\Setup.exe Show
shell\open\Default=1//
shell\explore=×ÊÔ´¹ÜÀíÆ÷(&X)
shell\explore\Command=recycle.{645FF040-5081-101B-9F08-00AA002F954E}\Setup.exe Show

Step 10

Restart in normal mode and scan your computer with your Trend Micro product for files detected as PE_PIKORAV.SM-O. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

Step 11

Restore these deleted files from backup

*Note: Only Microsoft-related keys/values will be restored. If this malware/grayware also deleted registry keys/values related to programs that are not from Microsoft, please reinstall those programs on your computer.

%System%driversetchost (On Windows NT, 2000, XP, and Server 2003)
%Windows%host.sam (on Windows 98 and ME)

Step 12

Scan your computer with your Trend Micro product to delete files detected as PE_PIKORAV.SM-O. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:


Did this description help? Tell us how we did.

Related Malware