SOCKS
Microsoft: Koceg; Symantec: Mandaph; Sunbelt: Socks; Authentium: Socks; ClamAV: Socks; Fortinet: Socks; Fprot: Socks; Ikarus: Socks; Eset: Socks; Panda: Socks; VBA32: Socks
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Worm
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
The SOCKS malware family is known for spreading through removable drives. It is also used to control the affected systems using commands from a remote server.
TECHNICAL DETAILS
Installation
This worm drops the following files:
- %AppDataLocal%\cftmon.exe
- %System%\drivers\spools.exe
- {drive letter}\autorun.exe
(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local on Windows Vista and 7.. %System% is the Windows system folder, which is usually C:\Windows\System32.)
It drops the following copies of itself into the affected system:
- %AppDataLocal%\cftmon.exe
- %System%\drivers\spools.exe
- {drive letter}\autorun.exe
(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local on Windows Vista and 7.. %System% is the Windows system folder, which is usually C:\Windows\System32.)
Autostart Technique
This worm adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
ntuser = "%System%\drivers\spools.exe"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
autoload = "%AppDataLocal%\cftmon.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
ntuser = "%System%\drivers\spools.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
autoload = "%AppDataLocal%\cftmon.exe"
It modifies the following registry entry(ies) to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Shell = "Explorer.exe"
(Note: The default value data of the said registry entry is Explorer.exe.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
UserInit = "%System%\userinit.exe,"
(Note: The default value data of the said registry entry is %System%\userinit.exe,.)
Other System Modifications
This worm modifies the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
UIHost = "logonui.exe"
(Note: The default value data of the said registry entry is logonui.exe.)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Schedule
ImagePath = "%System%\drivers\spools.exe"
(Note: The default value data of the said registry entry is %SystemRoot%\System32\svchost.exe -k netsvcs.)
It deletes the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Browser Helper Objects
Other Details
This worm connects to the following possibly malicious URL:
- http://{BLOCKED}wfwe.com
- http://{BLOCKED}we.net
- http://www.{BLOCKED}ains.com/domain_profile.cfm?d=fewfwe&e=com