| Memory resident: Yes
Size of malware: 290,816 Bytes
Initial samples received on: Sep 9, 2010
Related to: VBS_MEYLME.B
Details:
Arrival Details
This worm arrives via removable drives and network shares. It may be downloaded unknowingly by a user when visiting the following malicious websites:
- http://{BLOCKED}s.multimania.co.uk/yahoophoto/PDF_Document21_025542010_pdf.scr
Installation
This worm drops the following copy(ies) of itself:
- %Windows%\csrss.exe
- %Windows%\system\updates.exe
(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)
Autostart Techniques
This worm modifies the following registry entry(ies) to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Shell = “Explorer.exe %Windows%\csrss.exe”
(Note: The default value data for the said registry entry is Explorer.exe.)
Other System Modifications
This worm creates the following registry key(s)/entry(ies):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\Explorer
HideSCAHealth = “1″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\system
EnableLUA = “0″
EnableVirtualization = “0″
PromptOnSecureDesktop = “0″
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\lanmanserver\Shares
updates = “CSC”
Flags = “0″
MaxUses = “100″
Path = “%Windows%\system”
Permissions = “0″
Remark = “Public share for update.”
Type = 0″
It deletes the following file(s):
- %System%\drivers\etc\hosts
It deletes the following registry key(s):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wuauserv
(Note: %System% is the Windows system folder, which is usually C:\WINNT\System32 on Windows 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
It adds the following registry entry(ies) so that a copy of itself is executed when certain files are run:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\{file}
Debugger = “csrss.exe”
Note that {file} refers to the following:
- _aVP32.ExE
- _aVPCC.ExE
- _aVPM.ExE
- 00hoeav.com
- 0w.com
- 360rpt.ExE
- 360safe.ExE
- 360safebox.ExE
- 360tray.ExE
- 6.bat
- 6fnlpetp.exe
- 6x8be16.cmd
- a2cmd.ExE
- a2free.ExE
- a2service.ExE
- a2upd.ExE
- abk.bat
- adobe Gamma Loader.exe
- algsrvs.exe
- algssl.exe
- angry.bat
- aNtIaRP.ExE
- antihost.exe
- anti-trojan.exe
- aNtS.ExE
- apu.stt
- apu-0607g.xml
- aPVxdWIN.ExE
- arSwp.ExE
- ashdisp.exe
- ashEnhcd.exe
- ashLogV.exe
- ashMaiSv.exe
- ashPopWz.exe
- ashQuick.exe
- ashServ.exe
- ashSkPcc.exe
- ashUpd.exe
- ashWebSv.exe
- ast.ExE
- aswBoot.exe
- aswRegSvr.exe
- aswUpdSv.exe
- autorun.bin
- autoRun.ExE
- autorun.ini
- autorun.reg
- autorun.txt
- autorun.wsh
- autoRunKiller.ExE
- autoruns.exe
- autorunsc.exe
- avadmin.exe
- avastSS.exe
- avcenter.exe
- avciman.exe
- avconfig.exe
- aVCONSOL.ExE
- aVENGINE.ExE
- avgamsvr.exe
- avgas.exe
- avgcc.exe
- avgcc32.exe
- avgemc.exe
- avginet.exe
- avgnt.exe
- avgrssvc.exe
- avgrsx.exe
- avgscan.exe
- avgscanx.exe
- avgserv.exe
- avguard.exe
- avgupsvc.exe
- avgw.exe
- avgwdsvc.exe
- avltd.exe
- avmailc.exe
- avMonitor.ExE
- avnotify.exe
- avp.com
- avp.exe
- aVP32.ExE
- aVPCC.ExE
- aVPM.ExE
- avscan.exe
- avzkrnl.dll
- bad1.exe
- bad2.exe
- bad3.exe
- bdagent.exe
- bdsubwiz.exe
- BdSurvey.exe
- BIOSREad.exe
- blackd.exe
- blackice.exe
- caiss.exe
- caissdt.exe
- catcache.dat
- cauninst.exe
- Cavapp.ExE
- cavasm.ExE
- CavaUd.ExE
- CaVCmd.exe
- CaVCtx.exe
- CavEmSrv.ExE
- Cavmr.ExE
- CavMUd.ExE
- Cavoar.ExE
- CavQ.ExE
- CaVRep.exe
- CaVRid.exe
- CaVSCons.ExE
- cavse.ExE
- CavSn.ExE
- CavSub.ExE
- CaVSubmit.ExE
- CavUMaS.ExE
- CavUserUpd.ExE
- Cavvl.ExE
- CCenter.ExE
- CEmRep.ExE
- ckahcomm.dll
- ckahrule.dll
- ckahum.dll
- cleaner.exe
- cleaner3.exe
- clldr.dll
- CMain.ExE
- copy.exe
- curidsbase.kdz
- destrukto.vbs
- dF5Serv.exe
- diffs.dll
- drvins32.exe
- drwadins.exe
- drweb32w.exe
- drweb386.exe
- drwebscd.exe
- drwebupw.exe
- drwebwcl.exe
- drwreg.exe
- e.cmd
- e9ehn1m8.com
- edb.chk
- egui.exe
- ekrn.exe
- EMdISK.exe
- f0.cmd
- FileKan.exe
- flashy.exe
- FPaVServer.exe
- FProttray.exe
- fpscan.exe
- fptrayproc.exe
- FPWin.exe
- FrameworkService.exe
- Frameworkservice.ExE
- FRW.ExE
- FrzState2k.exe
- fs6519.dll.vbs
- fssf.exe
- fssync.dll
- fun.xls.exe
- g2pfnid.com
- GetSI.dll
- GFUpd.ExE
- guard.exe
- GuardField.ExE
- guardgui.exe
- guardxkickoff.exe
- guardxkickoff_x64.exe
- guardxservice.exe
- guardxup.exe
- h3.bat
- Hijackthis.ExE
- hookinst.exe
- host.exe
- i.bat
- iamapp.exe
- iamserv.exe
- IceSword.ExE
- ICLOad95.ExE
- ICLOadNt.ExE
- ICMON.ExE
- ICSUPP95.ExE
- ICSUPPNt.ExE
- Identity.exe
- iefqwp.cmd
- IEShow.exe
- IFaCE.ExE
- ij.bat
- InstallCaVS.ExE
- InstLsp.ExE
- Iparmor.ExE
- iSafe.exe
- iSafInst.exe
- KaSaRP.ExE
- kav.bav
- kav32.ExE
- kavbase.kdl
- KaVPFW.ExE
- kavstart.ExE
- ker.vbs
- KeyMgr.exe
- killVBS.vbs
- kissvc.ExE
- kl1.sys
- klavemu.kdl
- klbg.cat
- klbg.sys
- klif.cat
- klif.sys
- klim5.sys
- kmailmon.ExE
- KPfwSvc.ExE
- KRegEx.ExE
- KVSrvxP.ExE
- KVWSC.ExE
- kwatch.ExE
- licmgr.ex
- licreg.exe
- lky.exe
- lockdown2000.exe
- m2nl.bat
- mbam.exe
- mcagent.exe
- mcappins.exe
- mcaupdate.exe
- mcdash.exe
- Mcdetect.exe
- mcinfo.exe
- mcinsupd.exe
- mcmnhdlr.exe
- mcregwiz.exe
- McShield.exe
- Mctray.exe
- mcupdmgr.exe
- mcupdui.exe
- McVSEscn.exe
- mcvsftsn.exe
- mcvsmap.exe
- mghtml.exe
- Mmsk.ExE
- MooLive.exe
- msdos.pif
- msfir80.exe
- MSGrc32.vbs
- msime80.exe
- msizap.exe
- msmsgs.exe
- msvcm80.dll
- msvcp80.dll
- msvcr71.dll
- msvcr80.dll
- mzvkbd.dll
- mzvkbd3.dll
- naiavfin.exe
- naPrdMgr.exe
- Navapsvc.ExE
- NaVaPW32.ExE
- NaVW32.ExE
- netcfg.dll
- new folder.exe
- njibyekk.com
- nod32.exe
- nod32krn.exe
- nod32kui.exe
- oasclnt.exe
- olb1iimw.bat
- OnaccessInstaller.ExE
- Pagent.exe
- Pagentwd.exe
- PavFnSvr.exe
- pavprsrv.exe
- PavReport.exe
- pavsched.exe
- PaVSRV51.ExE
- pavtest.exe
- pctsauxs.exe
- pctsSvc.exe
- pctstray.exe
- PFW.ExE
- preupd.exe
- prloader.dll
- procexp.exe
- psctrlc.exe
- PsCtrlS.exe
- PSHost.exe
- PsImSvc.exe
- pskmssvc.exe
- QQdoctor.ExE
- QtnMaint.exe
- RaV.ExE
- ravmon.exe
- Ravservice.ExE
- RavStub.ExE
- RaVtRaY.ExE
- rcukd.cmd
- reload.exe
- rescue32.exe
- rescuecd.zip
- rfwmain.ExE
- rfwProxy.ExE
- rfwsrv.ExE
- Rfwstub.ExE
- rose.exe
- RStray.ExE
- Runiep.ExE
- safeboxtray.ExE
- sal.xls.exe
- sched.exe
- SCVHOSt.exe
- scvhosts.exe
- SCVHSOt.exe
- SCVVHOSt.exe
- scvvhosts.exe
- SCVVHSOt.exe
- seccenter.exe
- SendLogs.exe
- session.exe
- shstat.exe
- Socksa.ex
- SOLOCFG.exe
- SOLOLItE.exe
- SOLOSCaN.exe
- SOLOSENt.exe
- Sphinx.exe
- spidercpl.exe
- spiderml.exe
- spidernt.exe
- spiderui.exe
- spml_set.exe
- Spybotsd.exe
- SREngLdr.ExE
- ssvichosst.exe
- sxs.exe
- system.exe
- tca.exe
- temp.exe
- temp2.exe
- toy.exe
- tPSrv.exe
- trojandetector.ExE
- trojanwall.ExE
- trojdie.KxP
- UdaterUI.exe
- uiscan.exe
- unp_test.ExE
- update.exe
- updater.dll
- UPSdbMaker.ExE
- userdump.exe
- UUpd.ExE
- v.exe
- Vba32act.exe
- Vba32arkit.exe
- Vba32ECM.exe
- Vba32ifs.exe
- vba32ldr.exe
- Vba32PP3.exe
- Vba32Qtn.exe
- vbcmserv.exe
- vbcons.exe
- vbglobal.exe
- vbimport.exe
- vbinst.exe
- vbscan.exe
- vbsystry.exe
- VetMsg.exe
- virusutilities.exe
- Visthaux.exe
- VPC32.ExE
- VPtRaY.ExE
- VSECOMR.ExE
- VSHWIN32.ExE
- vsmon.exe
- vsserv.exe
- VSStat.ExE
- VstskMgr.exe
- WEBPROxY.ExE
- WEBSCaNx.ExE
- whi.com
- WinGrc32.dll
- WOPtILItIES.ExE
- Wradmin.exe
- WrCtrl.exe
- wscntfy.exe
- wsctool.exe
- yannh.cmd
- ybj8df.exe
- zonealarm.exe
Propagation via Email
This worm gathers email addresses from Microsoft Outlook contacts and uses Messaging Application Protocol Interface (MAPI) to send email messages with a link to a copy of itself. The email messages it sends out bear the following details:
Subject: (any of the following)
• Just for you
• Here you have
Message body:
Hello:
This is The Document I told you about,you can find it Here. http://www.{BLOCKED}ocuments.com/library/PDF_Document21.025542010.pdf
Please check it and reply as soon as possible.
Cheers,
It can also gather email addresses from the Yahoo! contacts and uses the SendEmail tool to send an email with the following details:
Subject: hi
Message body:
Hello:
This is The Free Dowload Sex Movies, you can find it Here.
http://www.{BLOCKED}movies.com/library/SEX21.023342010.wmv
Enjoy your time.
Cheers,
It makes use of Gmail as its SMTP server to send the above email using the following user name and password pairs as credentials:
UPass one:
- SMTPUsername: {BLOCKED}taylor2003
- SMTPPassword: {BLOCKED}1984
UPass two:
- SMTPUsername: {BLOCKED}e.brain
- SMTPPassword: {BLOCKED}fm
Both the links mentioned in these emails lead to http://{BLOCKED}s.multimania.co.uk/yahoophoto/PDF_Document21_025542010_pdf.scr.
Propagation via Physical/Removable/Floppy Drives
This worm drops copies of itself in all removable drives.
It drops an AUTORUN.INF file to automatically execute dropped copies when the drives are accessed. The said .INF file contains the following strings:
[AutoRun]
open=open.exe
icon=%System%\shell32.dll,8
action=Open Drive to view files
shell\open=Open
shell\open\command=open.exe
shell\open\default=1
Propagation via Network Shares
This worm uses a VB script, found in the malware code, to list down all the users in the network and drops a copy of itself as N73.Image12.03.2009.JPG.scr or {computer_name} CV 2010.exe in drives C to H.
A copy is also dropped in shared folders, specifically the following:
It forces the %Windows%\system folder to be shared as \\{computer_name}\updates.
The shared folders and drives where the malware drops a copy of itself are enumerated at the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Windows
{number} = “{folder path}”
Trend Micro detects the aforementioned script as VBS_MEYLME.B.
Other Details
This worm stops and deletes the following services related to antivirus applications:
- Avast! Antivirus
- aswUpdSv
- avast! Mail Scanner
- avast! Web Scanner
- AntiVirService
- AntiVirMailGuard
- AntiVirSchedulerService
- McShield
- AntiVirFirewallService
- NIS
- MSK80Service
- 0053591272669638mcinstcleanup
- mfefire
- McNASvc
- Mc0obeSv
- McMPFSvc
- McProxy
- Mc0DS
- mcmscsvc
- McAfee SiteAdvisor Service
- mfevtp
- Avgfws9
- AVG Security Toolbar Service
- avg9wd
- AVGIDSAgent
- PAVFNSVR
- Gwmsrv
- PSHost
- PSIMSVC
- PAVSRV
- PavPrSrv
- PskSvcRetail
- Panda Software Controller
- TPSrv
- SfCtlCom
- TmProxy
- TMBMServer
- Arrakis3
- LIVESRV
- scan
- VSSERV
- sdAuxService
- sdCoreService
- AVP
This disables antivirus applications, which in turn renders the affected system unprotected from threats.
It also terminates the following processes if found running in the system:
- Usbguard.exe
- CPE17AntiAutoruna.exe
- outlook.exe
It attempts to access URLs to download files. Based from this worm’s code, the files are saved as the following:
- %System%\SendEmail.dll
- %Windows%\tryme1.exe
- %Windows%\ff.exe
- %Windows%\gc.exe
- %Windows%\ie.exe
- %Windows%\im.exe
- %Windows%\op.exe
- %Windows%\pspv.exe
- %Windows%\rd.exe
- %Windows%\re.exe
These are mostly networking and password utilities.
However, as of this writing, the URLs it attempts to access are inaccessible.
Affected Platforms
This worm runs on Windows 2000, XP, and Server 2003.
Analysis By: Jessa De La Torre
Updated By: Karl Dominguez
Revision History:
|
| Sep 10, 2010 – Modified Malware Report |
|
