WORM_GERAL
Microsoft: Dogrobot, Dogkild; Ikarus: Geral; VBA32: Geral
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Worm
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
Downloaded from the Internet
GERAL (also known as The Robot Dog) is used to terminate security-related applications in order to download and execute other malicious files. As a result, system security is compromised.
TECHNICAL DETAILS
Yes
Compromises system security, Terminates processes, Downloads files
Installation
This worm drops the following files:
- %System%\drivers\TvPlus.sys
- %System%\drivers\pcidump.sys
- %System%\jxgamepacik.pak
- %User Temp%\{random}.exe
- %Windows%\extext{random}t.exe
- %Windows%\{random}test.dll
- %Windows%\{random}text.exe
(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.. %Windows% is the Windows folder, which is usually C:\Windows.)
It drops the following copies of itself into the affected system:
- %System%\scvhost.exe
- %System%\kav.exe
(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)
It creates the following folders:
- %Program Files%\KAV
(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)
Autostart Technique
This worm adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
RsTray = "%System%\scvhost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
kav = "%System%\kav.exe"
It adds the following Image File Execution Options registry entries to automatically execute itself whenever certain applications are run:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
{application}
{application} = "svchost.exe"
Other System Modifications
This worm adds the following registry keys as part of its installation routine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
{application}
Other Details
This worm connects to the following possibly malicious URL:
- http://{BLOCKED}re.cn/xx8/Count.asp?mac={mac address}&ver={version}&os={OS}
- http://{BLOCKED}4.cc/2/Count.asp?mac={mac address}&ver={version}&os={OS}
- http://{BLOCKED}4.cc/7/Count.asp?mac={mac address}&ver={version}&os={OS}
- http://{BLOCKED}2.{BLOCKED}j.com:18888/57/tj.asp?mac={mac address}&ver={version}&os={OS}&dtime={date}
- http://{BLOCKED}o.{BLOCKED}2.org:300/up23/Count.asp?mac={mac address}&ver={version}&os={OS}&dtime={date}
- http://www.{BLOCKED}2432.cn/0001/Count.asp?mac={mac address}&ver={version}&os={OS}
- http://www.{BLOCKED}2432.cn/0004/Count.asp?mac={mac address}&ver={version}&os={OS}
- http://{BLOCKED}3.cn/xx8/ttnew.txt
- http://{BLOCKED}2.cn/0001/ttnew.txt
- http://{BLOCKED}2.cn/0004/ttnew.txt
- http://{BLOCKED}z.{BLOCKED}ns.com:18184/c/d.txt
- http://{BLOCKED}z.{BLOCKED}ns.com:18184/c/host.txt
- http://{BLOCKED}t.{BLOCKED}8.xicp.cn:300/aas.txt
- http://{BLOCKED}8.com/xin/host.jpg
- http://{BLOCKED}8.com/xin/xx2.txt
- http://{BLOCKED}8.com/xin/xx7.txt