Analysis by: Sabrina Lei Sioting
 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This worm arrives via removable drives.

It disables Task Manager, Registry Editor, and Folder Options.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

  TECHNICAL DETAILS

File Size: 1,828,961 bytes
File Type: EXE
File Compression: UPX
Memory Resident: No
Initial Samples Received Date: 17 Aug 2011

Arrival Details

This worm arrives via removable drives.

Installation

This worm drops the following copies of itself into the affected system:

  • %Windows%\SVRCHOST.exe
  • %System%\SVRCHOST.exe

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.. %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It drops the following files:

  • %System%\autorun.ini

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
MSN Messengger = "%System%\SVRCHOST.exe"

It modifies the following registry entries to ensure it automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Shell = "Explorer.exe SVRCHOST.exe"

(Note: The default value data of the said registry entry is Explorer.exe.)

Other System Modifications

This worm adds the following registry entries as part of its installation routine:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
WorkgroupCrawler\Shares
shared = "New Games.exe"

It creates the following registry entry(ies) to disable Task Manager, Registry Tools and Folder Options:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableTaskMgr = "1"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableRegistryTools = "1"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
NofolderOptions = "1"

It modifies the following registry entries to hide files with Hidden attributes:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced\Folder\Hidden\
SHOWALL
CheckedValue = "0"

(Note: The default value data of the said registry entry is 1.)

Propagation

This worm drops the following copy(ies) of itself in all removable drives:

  • SVRCHOST.exe
  • New Games.exe

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

[Autorun]
Open=SVRCHOST.exe
Shellexe cute=SVRCHOST.exe
Shell\Open\command=SVRCHOST.exe
Shell=Open