WORM_SPYBOT.BUQ
W32/Sality.AA(Fortinet), Virus:Win32/Sality.AM(Microsoft), Win32/Sality.NAR virus(NOD32), W32/Autorun.worm.ev(McAfee)
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
![](/vinfo/imgFiles/legend.jpg)
Threat Type: Worm
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This worm arrives via removable drives. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It adds certain registry entries to disable the Task Manager. This action prevents users from terminating the malware process, which can usually be done via the Task Manager.
It drops copies of itself in removable drives. These dropped copies use the names of the folders located on the said drives for their file names. It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
It modifies the Internet Explorer Zone Settings.
TECHNICAL DETAILS
Arrival Details
This worm arrives via removable drives.
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This worm drops the following files:
- {removable drive letter}:\lbmxc.cmd
- %System%\{random folder name}\{malware filename}.exe
- %System%\{random folder name}\{random filename}.{random extensions}
- %Windows%\LastGood\INF\oem13.inf
- %Windows%\LastGood\INF\oem13.PNF
- %Windows%\inf\oem13.inf
- %Windows%\inf\oem13.PNF
(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.. %Windows% is the Windows folder, which is usually C:\Windows.)
Autostart Technique
This worm adds the following registry entries to enable its automatic execution at every system startup:
HKLM\Software\Microsoft\
Windows\CurrentVersion\Run
{malware filename} = "%System%\{random number}\{malware filename}.exe
It drops the following file(s) in the Windows Startup folder to enable its automatic execution at every system startup:
- {malware filename}.lnk
Other System Modifications
This worm adds the following registry keys:
HKCU\Software\{username}{random numbers}
HKCU\Software\Microsoft\
Windows\CurrentVersion\Policies\
system
It modifies the following registry keys:
HKCU\Software\Microsoft\
Windows\CurrentVersion\Policies\
system
DisableRegistryTools = "1"
(Note: The default value data of the said registry entry is "0".)
HKLM\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
EnableLUA = "0"
(Note: The default value data of the said registry entry is "1".)
HKLM\SYSTEM\ControlSet001\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
Enablefirewall = "0"
(Note: The default value data of the said registry entry is "1".)
HKLM\SYSTEM\ControlSet001\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
DoNotAllowExceptions = "0"
(Note: The default value data of the said registry entry is "1".)
It adds the following registry entries to disable the Task Manager:
HKCU\Software\Microsoft\
Windows\CurrentVersionPolicies\system
DisableTaskMgr = "1"
It modifies the following registry entries to hide files with Hidden attributes:
HKCU\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Hidden = "2"
It creates the following registry entry(ies) to bypass Windows Firewall:
HKLM\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
{application path and filename} = "{application path and filename}:*:Enabled:ipsec"
It deletes the following registry keys:
HKLM\SYSTEM\CurrentControlSet\
Control\SafeBoot
HKLM\SYSTEM\CurrentControlSet\
Services\ALG
Propagation
This worm drops copies of itself in removable drives. These dropped copies use the names of the folders located on the said drives for their file names.
It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
It infects files of the following file type(s) in network shares, ensuring its propagation across the network:
- EXE
Web Browser Home Page and Search Page Modification
This worm modifies the Internet Explorer Zone Settings.
Other Details
This worm connects to the following possibly malicious URL:
- http://ahmed2981982.{BLOCKED}e.com
- http://{BLOCKED}amui.com
- http://www.{BLOCKED}amui.com
- http://lyceumbv.{BLOCKED}z.cz
- http://e.{BLOCKED}z.cz
- http://{BLOCKED}lic.net
- http://{BLOCKED}p.net
- http://{BLOCKED}oe.net
- http://www.{BLOCKED}lcrossing.com
- http://towlie123.to.{BLOCKED}c.de
- http://www.{BLOCKED}l.de
NOTES:
This worm deletes existing AUTORUN.INF on removable drives connected to the affected system and replace it with an AUTORUN.INF which executes the copy it dropped on the drive.