WORM_NARILAM.B
Trojan-Spy.Win32.Narilam (Ikarus), Trojan:Win32/Delfsnif.DU (Microsoft), W32.Narilam (Symantec)
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Worm
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
This malware is able to delete and/or damage the contents of databases used for businesses. It targeted Middle Eastern corporations in a series of attacks on November 2012.
To get a one-glance comprehensive view of the behavior of this Worm, refer to the Threat Diagram shown below.
This worm arrives via removable drives.
TECHNICAL DETAILS
Arrival Details
This worm arrives via removable drives.
It may arrive via network shares.
Installation
This worm drops the following copies of itself into the affected system and executes them:
- %System%\lssas.exe
(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)
Autostart Technique
This worm adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
LssaShellEx = "%System%\lssas.exe -reg "
Propagation
This worm drops copies of itself in the following shared folders:
- C$\Documents and Settings\All Users\Start Menu\Programs\Startup\DATA.EXE
- D$\Documents and Settings\All Users\Start Menu\Programs\Startup\DATA.EXE
- C$\Documents and Settings\user\Start Menu\Programs\Startup\DATA.EXE
- D$\Documents and Settings\user\Start Menu\Programs\Startup\DATA.EXE
It drops the following copy(ies) of itself in all removable drives:
- DATA.EXE
NOTES:
It uses the following commands to get the available shared networks:
- net.exe view
It searches all folders for the following files:
- amin.exe
- maliran.exe
- shahd.exe
It drops a copy of itself as BACKUP.EXE to the folders where the above files are found. It also checks for the following files that may contain information about the server in which the SQL database is stored:
- Data\Options.ini
- servername.dbf
- ServerName_XP.DB
It performs the following tasks:
- Delete records from database
- Update records on the database
- Delete all records in the database
SOLUTION
Step 1
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.
Step 2
Terminate a malware/grayware process
*Note: If the detected process is not displayed in theWindows Task Manager, continue doing the next steps.
- %System%\lssas.exe
Step 3
Delete this registry value
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- LssaShellEx = "%System%\lssas.exe -reg "
- LssaShellEx = "%System%\lssas.exe -reg "
Step 4
Scan your computer with your Trend Micro product to delete files detected as WORM_NARILAM.B. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Step 5
Restore these deleted files from backup
*Note: Only Microsoft-related keys/values will be restored. If this malware/grayware also deleted registry keys/values related to programs that are not from Microsoft, please reinstall those programs on your computer.
- Data\Options.ini
- servername.dbf
- ServerName_XP.DB
Did this description help? Tell us how we did.