WORM_CMDLOH.AF
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Worm
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This worm arrives via peer-to-peer (P2P) shares. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It drops copies of itself in all drives. These dropped copies use the names of the folders located on the said drives for their file names.
It connects to certain websites to send and receive information.
TECHNICAL DETAILS
Arrival Details
This worm arrives via peer-to-peer (P2P) shares.
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This worm drops the following copies of itself into the affected system:
- %System%\wcynsvc.exe
- %System%\wcynsvc.ocx
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
Autostart Technique
This worm registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Wnetwise
ImagePath = "%System%\wcynsvc.exe"
Other System Modifications
This worm adds the following registry entries as part of its installation routine:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Wnetvise
Type = "110"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Wnetvise
Start = "2"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Wnetvise
ErrorControl = "1"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Wnetvise
DisplayName = "Windows netware view information setup"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Wnetvise\Security
Security =
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Wnetvise
ObjectName = "LocalSystem"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Enum\Root\LEGACY_WNETVISE
NextInstance = "1"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Enum\Root\LEGACY_WNETVISE\
0000\Control
*NewlyCreated* = "0"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Enum\Root\LEGACY_WNETVISE\
0000
Service = "Wnetvise"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Enum\Root\LEGACY_WNETVISE\
0000
Legacy = "1"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Enum\Root\LEGACY_WNETVISE\
0000
ConfigFlags = "0"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Enum\Root\LEGACY_WNETVISE\
0000
Class = "LegacyDriver"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Enum\Root\LEGACY_WNETVISE\
0000
ClassGUID = "{GUID}"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Enum\Root\LEGACY_WNETVISE\
0000
DeviceDesc = "Windows netware view information setup"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Wnetvise\Enum
0 = "Root\LEGACY_WNETVISE\0000"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Wnetvise\Enum
Count = "1"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Wnetvise\Enum
NextInstance = "1"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Wnetvise
Description = "Provide security by Windows netware work system information"
It adds the following registry keys as part of its installation routine:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Wnetvise
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Wnetvise\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Enum\Root\LEGACY_WNETVISE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Enum\Root\LEGACY_WNETVISE\
0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Enum\Root\LEGACY_WNETVISE\
0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Wnetvise\Enum
Propagation
This worm drops the following copies of itself in all physical and removable drives:
- No Delete .exe
It drops copies of itself in all drives. These dropped copies use the names of the folders located on the said drives for their file names.
Other Details
This worm connects to the following website to send and receive information:
- {BLOCKED}ng.3322.org
- {BLOCKED}noc8a.gicp.net