WORM_CHIPIVER.AB
W32/Downloader_a.CMX!tr (Fortinet), Trojan-Downloader.Win32.Small (Ikarus), Worm:Win32/Chiviper.C (Microsoft), a variant of Win32/PSW.OnLineGames.QDL trojan (NOD32), Trojan.Gen.2 (Norton), Trojan.Win32.Generic!BT (Sunbelt), Trojan.Generic.KDV.723881 (Bitdefender)
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Worm
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It connects to certain URLs. It may do this to remotely inform a malicious user of its installation. It may also do this to download possibly malicious files onto the computer, which puts the computer at a greater risk of infection by other threats.
TECHNICAL DETAILS
Arrival Details
This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This worm drops the following copies of itself into the affected system and executes them:
- %User Temp%\{random filename}.tmp
(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)
It drops the following file(s)/component(s):
- %Windows%\usp10.dll
- %User Temp%\00{random file name}.temp
(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)
Other System Modifications
This worm modifies the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\Session Manager
ExcludeFromKnownDlls = "usp10.dll"
Download Routine
This worm connects to the following malicious URLs:
- http://{BLOCKED}f.info/duqu/m97.txt
- http://{BLOCKED}5.{BLOCKED}fla.com/tj1/post.asp?d10=08-00-27-DA-9F-73&d11=ver-jc-x98&d21=56&d22=xp
NOTES:
This worm drops copies of itself in all folders on fixed drives and removable drives containing .EXE files. This allows this worm to be loaded when an .EXE file attempts to load the legitimate USP10.DLL. This happens when an .EXE file loads DLL components from the same folder before checking in the system folders for the component DLL.