Type
Virus
SubType
Worm
Discovery Date
05/21/2007
Length
MicrosoftPowerPoint.exe (462,050 bytes), svchost.exe (239,104 bytes)
Minimum DAT
5035 (05/21/2007)
Updated DAT
5112 (09/04/2007)
Minimum Engine
5.1.00
Description Added
05/21/2007
Description Modified
06/23/2007 6:46 AM (PT)
Virus
SubType
Worm
Discovery Date
05/21/2007
Length
MicrosoftPowerPoint.exe (462,050 bytes), svchost.exe (239,104 bytes)
Minimum DAT
5035 (05/21/2007)
Updated DAT
5112 (09/04/2007)
Minimum Engine
5.1.00
Description Added
05/21/2007
Description Modified
06/23/2007 6:46 AM (PT)
Characteristics
This is a detection for worm written using AutoHotKey scripts and spreads via removable drives.
This is a detection for worm written using AutoHotKey scripts and spreads via removable drives.
Upon execution the worm drops the following files:
%Temp%\MicrosoftPowerPoint\MicrosoftPowerPoint\2.mp3 (56,467 bytes) --> Media file
%Temp%\MicrosoftPowerPoint\MicrosoftPowerPoint\drivelist.txt (72 bytes) --> List of drives it tries to replicate
%Temp%\MicrosoftPowerPoint\MicrosoftPowerPoint\Icon.ico (318 bytes) --> Icon file
%Temp%\MicrosoftPowerPoint\MicrosoftPowerPoint\Install.txt (8,743 bytes) --> AutoHotKey Script
%Temp%\MicrosoftPowerPoint\MicrosoftPowerPoint\pathlist.txt (varies) --> List of drives worm is copied to
%Temp%\MicrosoftPowerPoint\MicrosoftPowerPoint\svchost.exe (239,104 bytes) --> Copy of worm
c:\heap41a\2.mp3 (56,467 bytes) --> Media file played when alert box is displayed
c:\heap41a\drivelist.txt (72 bytes) --> List of drives to scan for
c:\heap41a\Icon.ico (318 bytes) --> Icon file
c:\heap41a\reproduce.txt (834 bytes) -->AutoHotKey Script for registry manipulation
c:\heap41a\script1.txt (3,588 bytes) --> AutoHotKey Script for Messagebox creation
c:\heap41a\std.txt (439 bytes) --> AutoHotKey Script for registry manipulation / run other scripts
c:\heap41a\svchost.exe (239,104 bytes) --> Copy of worm
c:\heap41a\offspring\autorun.inf (21 bytes) --> used to autorun the worm when the drive is accessed
%Temp%\MicrosoftPowerPoint\MicrosoftPowerPoint\2.mp3 (56,467 bytes) --> Media file
%Temp%\MicrosoftPowerPoint\MicrosoftPowerPoint\drivelist.txt (72 bytes) --> List of drives it tries to replicate
%Temp%\MicrosoftPowerPoint\MicrosoftPowerPoint\Icon.ico (318 bytes) --> Icon file
%Temp%\MicrosoftPowerPoint\MicrosoftPowerPoint\Install.txt (8,743 bytes) --> AutoHotKey Script
%Temp%\MicrosoftPowerPoint\MicrosoftPowerPoint\pathlist.txt (varies) --> List of drives worm is copied to
%Temp%\MicrosoftPowerPoint\MicrosoftPowerPoint\svchost.exe (239,104 bytes) --> Copy of worm
c:\heap41a\2.mp3 (56,467 bytes) --> Media file played when alert box is displayed
c:\heap41a\drivelist.txt (72 bytes) --> List of drives to scan for
c:\heap41a\Icon.ico (318 bytes) --> Icon file
c:\heap41a\reproduce.txt (834 bytes) -->AutoHotKey Script for registry manipulation
c:\heap41a\script1.txt (3,588 bytes) --> AutoHotKey Script for Messagebox creation
c:\heap41a\std.txt (439 bytes) --> AutoHotKey Script for registry manipulation / run other scripts
c:\heap41a\svchost.exe (239,104 bytes) --> Copy of worm
c:\heap41a\offspring\autorun.inf (21 bytes) --> used to autorun the worm when the drive is accessed
Creates the following registry keys to hook at system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run"winlogon"= "C:\heap41a\svchost.exe C:\heap41a\std.txt"
Disables the show hidden file options in folder options using the following registry:
Disables the show hidden file options in folder options using the following registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL "CheckedValue" = "00000000"
The worm also prevents the user from accessing certain websites like orkut.com and youtube.com and gives a message box as shown below.
Symptoms
Presence of above mentioned registry keys and files.
Getting a prompt as shown in the image above while trying to access orkut.com or youtube.com
Presence of above mentioned registry keys and files.
Getting a prompt as shown in the image above while trying to access orkut.com or youtube.com
Method of Infection
The worm spreads via removable drives. Infection starts either with manual execution of the binary or by navigating to folders containing infected files whereby the autorun.inf files can cause auto-execution.
The worm spreads via removable drives. Infection starts either with manual execution of the binary or by navigating to folders containing infected files whereby the autorun.inf files can cause auto-execution.
Removal
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
Nenhum comentário:
Postar um comentário