W32/Xirtem@MM

Content

W32/Xirtem@MM

Type: Virus
SubType: Worm
Discovery Date: 12/03/2008
Length: varies
Minimum DAT: 5453 (12/03/2008)
Updated DAT: 6596 (01/21/2012)
Minimum Engine: 5.4.00
Description Added: 12/03/2008
Description Modified: 01/12/2012 2:21 PM (PT)

Risk Assessment

Corporate User: Low
Home User: Low

Tab Navigation

Characteristics

---Updated on January 12, 2012-------

File Information -

MD5 - AD9EA226E7518973D7026522546FC02A
SHA1 - 7c16bb8d8daf1f6e5d0d73cbe0ddf7ef37a11d08

In addition to the previous malware description(s), behavior specific to the above sample have also exhibited these characteristics:

The malware adds the following keys to start dropped files upon reboot:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Chuzal"
Data: rundll32.exe "%WinDir%\mstsfd.dll",Startup
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Nokia Launch Application"
Data: %WinDir%\system32\PCSuite.exe

The malware adds the following key to allow access through the firewall:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List "%WinDir%\system32\PCSuite.exe"
Data: %WinDir%\system32\PCSuite.exe:*:Enabled:Explorer

The following files are dropped to the system:

%WinDir%\mstsfd.dll (detected as Hiloti.gen.i)
%WinDir%\system32\PCSuite.exe (detected as W32/Xirtem@MM)
%WinDir%\system32\sta-css.exe (detected as Hiloti.gen.i)
%WinDir%\system32\stat-cpe.exe (detected as BackDoor-AWQ.b)

Contact may be made with the following domains for smtp traffic:

mail.silverorange.com
nova.silverorange.com
smtp.kuzbass.net
mail.messaging.microsoft.com
pw-in-f27.1e100.net
mail.global.frontbridge.com
clementine.silverorange.com
xnacreators.net
mail.winternals.com
kemtel.ru
mailhost.sandelman.ca
4shared.com
gmail.com
about.com

------ Updated on 14-Dec-2010 ------

File Information -

MD5 - 3e41ab7c70701452d046b93f764564ec
SHA1 - 2e7b8a05e97ba1a66b47ca69db76c3c5a8a4181c

Aliases -

BitDefender - Win32.Worm.TSY
DrWeb - Trojan.AVKill.3097
Kaspersky - Trojan.Win32.Buzus.gcjo
Microsoft - VirTool:Win32/DelfInject.gen!AC

Upon execution, the Worm connects to the site "whatismyip.com" to retrieve the IP address of the victim�s machine, and connects to the domain: [removed].kathell.com

Upon execution, the Worm drops the following files into the system

%Temp%\TWAIN.LOG
%Temp%\Twain001.Mtx
%WinDir%\System32\sta-css.exe [Detected as Hiloti.gen.i]
%WinDir%\System32\stat-cpe.exe [Detected as Backdoor-AWQ.b]
%WinDir%\nlunupr.dll [Detected as Hiloti.gen.i]

And copies itself into the below mentioned location

%WinDir%\System32\Bluetooth.exe

Also, this worm spreads by copying itself into the shared folders of Peer-2-Peer Applications using the following file names.

%ProgramFiles%\LimeWire\Shared\Rapidshare Auto Downloader 3.8.exe
%ProgramFiles%\LimeWire\Shared\Trojan Killer v2.9.4173.exe
%ProgramFiles%\LimeWire\Shared\PDF to Word Converter 3.0.exe
%ProgramFiles%\LimeWire\Shared\Google SketchUp 7.1 Pro.exe
%ProgramFiles%\LimeWire\Shared\McAfee Total Protection 2010.exe
%ProgramFiles%\LimeWire\Shared\Mp3 Splitter and Joiner Pro v3.48.exe
%ProgramFiles%\LimeWire\Shared\Youtube Music Downloader 1.0.exe
%ProgramFiles%\LimeWire\Shared\Adobe Acrobat Reader keygen.exe
%ProgramFiles%\LimeWire\Shared\VmWare keygen.exe
%ProgramFiles%\LimeWire\Shared\AnyDVD HD v.6.3.1.8 Beta incl crack.exe
%ProgramFiles%\LimeWire\Shared\Ad-aware 2010.exe
%ProgramFiles%\LimeWire\Shared\BitDefender AntiVirus 2010 Keygen.exe
%ProgramFiles%\LimeWire\Shared\Norton Anti-Virus 2010 crack.exe
%ProgramFiles%\Grokster\My Grokster\Daemon Tools Pro 4.50.exe
%ProgramFiles%\Grokster\My Grokster\Download Boost 2.0.exe
%ProgramFiles%\Grokster\My Grokster\Uniblue RegistryBooster 2010.exe
%ProgramFiles%\Grokster\My Grokster\Grand Theft Auto Episodes From Liberty City 2010.exe
%ProgramFiles%\Grokster\My Grokster\Alcohol 120 v1.9.7.exe
%ProgramFiles%\Grokster\My Grokster\CleanMyPC Registry Cleaner v6.02.exe
%ProgramFiles%\Grokster\My Grokster\Super Utilities Pro 2009 11.0.exe
%ProgramFiles%\Grokster\My Grokster\Power ISO v4.2 + keygen axxo.exe
%ProgramFiles%\Morpheus\My Shared Folder\Download Accelerator Plus v9.exe
%ProgramFiles%\Morpheus\My Shared Folder\Internet Download Manager V5.exe
%ProgramFiles%\Morpheus\My Shared Folder\Myspace theme collection.exe
%ProgramFiles%\Morpheus\My Shared Folder\Nero 9 9.2.6.0 keygen.exe
%ProgramFiles%\Morpheus\My Shared Folder\Motorola, nokia, ericsson mobil phone tools.exe
%ProgramFiles%\Morpheus\My Shared Folder\AVS Video Converter v6.3.1.365 CRACKED.exe
%ProgramFiles%\Morpheus\My Shared Folder\Daemon Tools Pro 4.50.exe
%ProgramFiles%\Morpheus\My Shared Folder\Download Boost 2.0.exe
%ProgramFiles%\Morpheus\My Shared Folder\Uniblue RegistryBooster 2010.exe
%ProgramFiles%\Morpheus\My Shared Folder\Grand Theft Auto Episodes From Liberty City 2010.exe
%ProgramFiles%\Morpheus\My Shared Folder\Alcohol 120 v1.9.7.exe

The following registry keys have been added

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Hnuruyaxubexuyir
HKEY_LOCAL_MACHINE\SOFTWARE\bt1
HKEY_USERS\S-1-[varies]\Software\bt1

The following registry values have been added

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\
UACDisableNotify = 0x00000001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\
EnableLUA = 0x00000000
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Hnuruyaxubexuyir\
Pvunecolayiza =
Sxujoqoyamuk =
Kxutudevibebax = "173"
Eyaqaqojunehohi =
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ERSvc\
FailureActions =
DeleteFlag = 0x00000001
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc\
FailureActions =
DeleteFlag = 0x00000001
HKEY_USERS\S-1-5[varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\
blue1 = "12"
blue12 = "13"

The Worm registers itself as an authorized application with the Windows Firewall by adding the following value to the registry key.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%WinDir%\system32\Bluetooth.exe: "%WinDir%\system32\Bluetooth.exe:*:Enabled:Explorer"
HKEY_USERS\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Run\
BlueTooth HID = "%WinDir%\system32\Bluetooth.exe"
HKEY_USERS\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Run\
Nfuti = "rundll32.exe "%WinDir%\nlunupr.dll",Startup"

The above two registry entry confirms that, the worm registers the run entry to execute itself on every reboot.The following registry values have been modified.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc\]
"Start:" = "0x00000004"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ERSvc\]
"Start:" = "0x00000004"

The above mentioned registry entry confirms that, the worm disables the Error Reporting Service (ERSvc) and Windows Security Center Service (wscsvc).

The Worm connects to the following IP addresses to download malicious files through port 25

89.201.[removed]
[removed].recro.hr
217.198.[removed]
[removed].famatech.com
131.107.[removed]
[removed]bookmail.com
136.248.[removed]
205.248.[removed]
216.32.[removed]
65.55.[removed]
mail.[removed].frontbridge.com

Also the Worm connects to the following IP addresses through port 80

65.55.[removed]
72.233.[removed]
94.75.[removed]

The worm connects to "Whatismyip.com" to get the victim's IP address.

It also has mass mailing capabilities. The worm sends e-mails, attached with a copy of itself to harvested E-mail addresses on the system.

Email Senders:

Email Recipients:

[user's email address]

[Note : %ProgramFiles% - C:\Program Files, and %WinDir% - C:\WINDOWS]

---------

----------Updated October 26, 2010 ---------

File Information -

MD5 - ad9ea226e7518973d7026522546fc02a
SHA1 - 7c16bb8d8daf1f6e5d0d73cbe0ddf7ef37a11d08

Aliases -

DrWeb - Trojan.MulDrop1.54160
Symantec - W32.Ackantta.H@mm
Kaspersky - Trojan.Win32.Buzus.gdef
Microsoft - Trojan:Win32/Meredrop
NOD32 - Win32/Merond.O

Upon execution, the Worm connects to the site "whatismyip.com" to retrieve the IP address of the victim�s machine, and connects to the domain: [removed]da112c.coginix.org

Upon execution, the Worm drops the following files into the system

%Temp%\TWAIN.LOG
%Temp%\Twain001.Mtx
%WinDir%\System32\sta-css.exe [Detected as Hiloti.gen.i]
%WinDir%\System32\stat-cpe.exe [Detected as Backdoor-AWQ.b]
%WinDir%\slocic.dll [Detected as Hiloti.gen.i]

And copies itself into the below mentioned location

%WinDir%\System32\PCSuite.exe

Also, this worm spreads by copying itself into the shared folders of Peer-2-Peer Applications using the following file names.

%ProgramFiles%\LimeWire\Shared\PDF-XChange Pro.exe
%ProgramFiles%\LimeWire\Shared\Windows 7 Ultimate keygen.exe
%ProgramFiles%\LimeWire\Shared\RapidShare Killer AIO 2010.exe
%ProgramFiles%\LimeWire\Shared\Ashampoo Snap 3.02.exe
%ProgramFiles%\LimeWire\Shared\Blaze DVD Player Pro v6.52.exe
%ProgramFiles%\LimeWire\Shared\Adobe Illustrator CS4 crack.exe
%ProgramFiles%\LimeWire\Shared\Rapidshare Auto Downloader 3.8.exe
%ProgramFiles%\Grokster\My Grokster\Anti-Porn v13.5.12.29.exe
%ProgramFiles%\Grokster\My Grokster\Norton Internet Security 2010 crack.exe
%ProgramFiles%\Grokster\My Grokster\Kaspersky AntiVirus 2010 crack.exe
%ProgramFiles%\Grokster\My Grokster\PDF-XChange Pro.exe
%ProgramFiles%\Morpheus\My Shared Folder\Image Size Reducer Pro v1.0.1.exe
%ProgramFiles%\Morpheus\My Shared Folder\Anti-Porn v13.5.12.29.exe
%ProgramFiles%\Morpheus\My Shared Folder\Norton Internet Security 2010 crack.exe
%ProgramFiles%\Morpheus\My Shared Folder\Kaspersky AntiVirus 2010 crack.exe

The following registry keys have been added

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Hnuruyaxubexuyir
HKEY_LOCAL_MACHINE\SOFTWARE\Nokia4
HKEY_USERS\S-1-[varies]\Software\Nokia4

The following registry values have been added

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\
UACDisableNotify = 0x00000001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\
EnableLUA = 0x00000000
KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Hnuruyaxubexuyir\
Kxutudevibebax = "176"
Pvunecolayiza =
Sxujoqoyamuk =
HKEY_USERS\S-1-S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\
nok01 = "11"
nok02 = "26"

The Worm registers itself as an authorized application with the Windows Firewall by adding the following value to the registry key.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%WinDir%\system32\PCSuite.exe: "%WinDir%\system32\PCSuite.exe:*:Enabled:Explorer"
HKEY_USERS\S-1-S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Run\
Nokia Launch Application = "%WinDir%\system32\PCSuite.exe"
HKEY_USERS\S-1-S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Run\
Nfuti = "rundll32.exe "%WinDir%\slocic.dll",Startup"

The above two registry entry confirms that, the Trojan registers the run entry to execute itself on every reboot.

The following registry values have been modified.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc\]
"Start:" = "0x00000004"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ERSvc\]
"Start:" = "0x00000004"

The above mentioned registry entry confirms that, the Trojan disables the Error Reporting Service (ERSvc) and Windows Security Center Service (wscsvc).

Also, the worm connects to the following IP address to download malicious files

[removed].rev.ne.com.sg
193.41.[removed]
217.198.[removed]
mail.global.[removed].com
89.201.[removed]
207.46.[removed]
84.17.[removed]
64.26.[removed]
[removed].deploy.akamaitechnologies.com
sienna.[removed].com
[removed].deluxe.com
indigo.[removed].com
maroon.[removed].com
maila.[removed].com
cliffclavin.cs.[removed].edu
mail.metalab.[removed].edu
[removed]shared.com

The worm connects to "Whatismyip.com" to get the victim's IP address.

It also has mass mailing capabilities. The worm sends e-mails, attached with a copy of itself to harvested E-mail addresses on the system.

Email Senders:

Email Recipients:

[user's email address]

[Note : %ProgramFiles% - C:\Program Files, and %WinDir% - C:\WINDOWS]

-------------------------

--Update October 15, 2010--

When executed, the Worm connects to the site "whatismyip.com" to retrieve the IP address of the victim�s machine, and connects to the domain:

(varies).networkofart.net

The following files have been dropped into the system:

%WINDIR%\system32\hp-513.exe [Detected as Hiloti.gen.e]
%WINDIR%\kbanet40.dll (name varies) [Detected as Hiloti.gen.e]

And the drops copies of itself into the following locations:

%WINDIR%\system32\HPWuSchedv.exe [Detected as W32/Xirtem@MM]
[Removable Drive]:\RECYCLER\S-1-6-(Varies)\redmond.exe [Detected as W32/Xirtem@MM]

Also, it attempts to create an autorun.inf file on the root any accessible disk volume

[Removable Drive]:\autorun.inf

The following registry Keys have been added to the system:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Cyojileki
HKEY_LOCAL_MACHINE\SOFTWARE\HP145
HKEY_USERS\S-1-5-21-(Varies)\Software\HP145

The Worm disables the windows User Access Control (UAC) alerts by adding the following value to the registry key.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\]
UACDisableNotify="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\]
EnableLUA="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Cyojileki\]
Hdicu="168"

The Worm registers itself as an authorized application with the Windows Firewall by adding the following registry entry:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\]
%WINDIR%\system32\HPWuSchedv.exe="%WINDIR%\system32\HPWuSchedv.exe:*:Enabled:Explorer"

The following registry entries confirm that the worm execute on every time when windows start.

[HKEY_USERS\S-1-5-21-Varies\Software\Microsoft\Windows\CurrentVersion\Run\]
HP Software Updater v2.7="%WINDIR%\system32\HPWuSchedv.exe"
[HKEY_USERS\S-1-5-21-(Varies)\Software\Microsoft\Windows\CurrentVersion\Run\]
Fgoroxir="rundll32.exe "%WINDIR%\kbanet40.dll",Startup"

The following registries have been modified into the system:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ERSvc\]
Start="4"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\]
Start="4"

The above mentioned registry entries confirm that, the worm disables the Error Reporting Service (ERSvc) and Windows Security Center service (Wscsvc) respectively.

Propagation via Email:

The worm uses its own SMTP engine to send email message with a copy of itself as attachment. The email attachments may be from any of the following address.

e-cards@hallmark.com
order-update@amazon.com
resume-thanks@google.com
thomas.gimpel@ferrari.de
update@facebookmail.com
invitations@twitter.com

Example : For e-cards@hallmark.com the subject and body of the mail contains the following details.

Subject: You have received a Hallmark E-Card

Email Body:

"You have received a Hallmark E-Card from your friend.
To see it, check the attachment.
There's something special about that E-Card feeling. We invite you to make a friend's day and send one.
Hope to see you soon,
Your friends at Hallmark"

Email Recipient: [user's email address]

The following Mutex objects have been created to ensure only one instance of the Worm is running at a time.

oleacc-msaa-loaded
6124805e

[Where %WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)]

--Update August 03, 2010--

File Information:

MD5 � 563f303249df5c583f6595f081e5dd61
SHA1 - 55bd8264a0047a0acf2f4ed1b50bde874135eb84

Aliases:

eTrust-Vet - Win32/Fruspam.EH
Kaspersky - P2P-Worm.Win32.BlackControl.d
Microsoft - Worm:Win32/Prolaco.gen!C
NOD32 - a variant of Win32/Injector.CLU
Symantec - W32.Ackantta!gen

Upon execution, the worm copies itself into the following location and connects to the IP address �220.225.[removed]� through remote port 53.

%WinDir%system32\HPWuSchd9.exe

It also injects malicious code into �svchost.exe� and opens backdoor by connecting to the IP address �202.54.[removed]� through remote port 53.

When a user uses any searches engines like Google, Yahoo or Bing etc, the browser will be redirected to the server �tetrosearch.com�.

The worm drops the following files.

%AppData%\SystemProc\lsass.exe
%ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul
%ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf
%ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest

This worm also spreads by copying itself into the shared folders of Peer-2-Peer Applications using the following file names.

(Generally, the file names used are of popular applications and their cracks/keygens)

%ProgramFiles%\LimeWire\Shared\K-Lite Mega Codec v5.5.1.exe
%ProgramFiles%\LimeWire\Shared\YouTubeGet 5.4.exe
%ProgramFiles%\LimeWire\Shared\Windows 2008 Enterprise Server VMWare Virtual Machine.exe
%ProgramFiles%\LimeWire\Shared\K-Lite Mega Codec v5.6.1 Portable.exe
%ProgramFiles%\LimeWire\Shared\WinRAR v3.x keygen RaZoR.exe
%ProgramFiles%\LimeWire\Shared\Twitter FriendAdder 2.1.1.exe
%ProgramFiles%\Grokster\My Grokster\Starcraft2 keys.txt.exe
%ProgramFiles%\Grokster\My Grokster\Starcraft2 Crack.exe
%ProgramFiles%\Grokster\My Grokster\Starcraft2 Oblivion DLL.exe
%ProgramFiles%\Grokster\My Grokster\Starcraft2.exe
%ProgramFiles%\Morpheus\My Shared Folder\Total Commander7 license+keygen.exe
%ProgramFiles%\Morpheus\My Shared Folder\LimeWire Pro v4.18.3.exe
%ProgramFiles%\Morpheus\My Shared Folder\Tuneup Ultilities 2010.exe
%ProgramFiles%\Morpheus\My Shared Folder\Kaspersky Internet Security 2010 keygen.exe
%ProgramFiles%\Morpheus\My Shared Folder\Windows XP PRO Corp SP3 valid-key generator.exe

The following registry keys have been added.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKEY_LOCAL_MACHINE\SOFTWARE\HP9
HKEY_USERS\S-1-[Varies]\Software\HP9

To bypass windows firewall it adds the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%WinDir%\System32\HPWuSchd9.exe: "%WinDir%\System32\HPWuSchd9.exe:*:Enabled:Explorer"

It adds the following registry entry to start itself on system startup:

HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Run\
HP Software Updater9 = "%WinDir%\System32\HPWuSchd9.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
RTHDBPL = "%AppData%\SystemProc\lsass.exe"

The following registry values have been added.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
UACDisableNotify = 0x00000001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
EnableLUA = 0x00000000
[HKEY_CURRENT_USER\Identities]
    Curr version = "25"
    Last Date = "Date of Execution"
    Inst Date = "Date of Execution"
    Popup count = "0"
    Popup time = "0"
    Popup date = "0"

The following registry values have been modified:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ERSvc\
Start = 0x00000004

The above mentioned registry entry confirms that, the worm disables the Error Reporting Service (ERSvc).

The following folders have been added:

%AppData%\SystemProc
%ProgramFiles%\Mozilla Firefox
%ProgramFiles%\Mozilla Firefox\extensions
%ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}
%ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome
%ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content

Symptoms:

The worm connects to "Whatismyip.com" to get the victim's IP address.
The worm connects to the following websites

sim[removed].com/update.php?sd=2010-04-27&aid=blackout
position[removed].com/update.php?sd=2010-04-27&aid=blackout
rts[removed].com/update.php?sd=2010-04-27&aid=blackout
qul[removed].com/update.php?sd=2010-04-27&aid=blackout
contro[removed].com/inst.php?aid=blackout

[Note :%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000) ,
%AppData% - C:\Documents and Settings\[UserName]\Application Data,
%ProgramFiles% - C:\Program Files]

-------------------------------------------------------------------------------------------

--Update February 10, 2010--

Upon execution, the Trojan copies itself into the following location.

%WinDir%\system32\wmimngr.exe

And drops the following file.

%WinDir%\system32\wpmgr.exe

The following registry keys have been added to the system.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WAB\Profile5]
[HKEY_USERS\S-1-5-21-1004336348-1326574676-839522115-1003\Software\Microsoft\WAB]
[HKEY_USERS\S-1-5-21-1004336348-1326574676-839522115-1003\Software\Microsoft\WAB\Profile5]

The following registry value has been added.

[HKEY_USERS\S-1-5-21-1004336348-1326574676-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Run\]
�Windows Management:� = �C:\WINDOWS\System32\wmimngr.exe�

The above mentioned registry entry confirms that, the Trojan registers the run entry to execute itself on every reboot.

The Trojan disables the windows User Access Control (UAC) alerts by adding the following value to the registry key.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\]
�UACDisableNotify:� = �0x00000001�
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\]
�EnableLUA:� = � 0x00000000�

The Trojan registers itself as an authorized application with the Windows Firewall by adding the following value to the registry key.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\]
�C:\WINDOWS\System32\wmimngr.exe:� = "C:\WINDOWS\System32\wmimngr.exe:*:Enabled:Explorer"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\]
�C:\WINDOWS\System32\wmimngr.exe:�= "C:\WINDOWS\System32\wmimngr.exe:*:Enabled:Explorer"

The following registry values have been modified.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ERSvc\]
"Start:" = "0x00000004"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc\]
"Start:" = "0x00000004"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ERSvc\]
"Start:" = "0x00000004"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\]
"Start:" = "0x00000004"

The above mentioned registry entry confirms that, the Trojan disables the Error Reporting Service (ERSvc) and Windows Security Center Service (wscsvc). Also it connects to the IP Address 72.233.[removed].197 through a remote port 80.

[Where %WinDir% is the Windows Directory - for example C:\Windows and %Programfiles% is C:\Program Files]

--Update July 01, 2009--

The new variant is discovered to use the topic of Michael Jackson's death. The file is called "Michael Jackson songs and pictures.doc.exe".
Upon execution, it copies itself to the following location(s):

    * %WinDir%\system32\jushed.exe
    * %WinDir%\system32\java2.exe
    * %WinDir%\jvm.exe

It creates a non-malicious file java.ini in %WinDir%.

It also creates rootkit Generic rootkit.d!rootkit and DNSChanger.ad at

%WinDir%\system32\SKYNET[random].dll
%WinDir%\system32\SKYNET[random].dll
%WinDir%\system32\SKYNET[random].dat
%WinDir%\system32\drivers\SKYNE[random].sys

It adds following registry entry to start itself on system startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched10 = %WinDir%\system32\jushed.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Audio Services = %WinDir%\jvm.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{151B67MA-E28T-45KF-0O30-8801XS8WIF5J}\StubPath: "%WinDir%\jvm.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Windows Audio Services: "%WinDir%\jvm.exe"

To bypass windows firewall it adds following registry entry:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%WinDir%\System32\jushed.exe = "%WinDir%\System32\jushed.exe:*:Enabled:Explorer"

It also adds following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\java6kernel = "07"
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\sun6micro = "01"

The worm connects to "Whatismyip.com" to get the victim's IP address.

It also has mass mailing capabilities. The worm sends e-mails, attached with a copy of itself to harvested E-mail addresses on the system.

This worm also spreads by copying itself into the shared folders of Peer-2-Peer Applications using the following file names.
(Generally, the file names used are of popular applications and their cracks/keygens)

Absolute Video Converter 6.2.exe
Ad-aware 2009.exe
Adobe Acrobat Reader keygen.exe
Adobe Photoshop CS4 crack.exe
Alcohol 120 v1.9.7.exe
AnyDVD HD v.6.3.1.8 Beta incl crack.exe
Avast 4.8 Professional.exe
AVS video converter6.exe
BitDefender AntiVirus 2009 Keygen.exe
CheckPoint ZoneAlarm And AntiSpy.exe
CleanMyPC Registry Cleaner v6.02.exe
Daemon Tools Pro 4.11.exe
Divx Pro 6.8.0.19 + keymaker.exe
Download Accelerator Plus v8.7.5.exe
Download Boost 2.0.exe
DVD Tools Nero 9 2 6 0.exe
G-Force Platinum v3.7.5.exe
Google Earth Pro 4.2. with Maps and crack.exe
Grand Theft Auto IV (Offline Activation).exe
Internet Download Manager V5.exe
K-Lite codec pack 3.10 full.exe
K-Lite codec pack 4.0 gold.exe
Kaspersky Internet Security 2009 keygen.exe
LimeWire Pro v4.18.3.exe
Magic Video Converter 8 0 2 18.exe
Microsoft Office 2007 Home and Student keygen.exe
Microsoft Visual Studio 2008 KeyGen.exe
Microsoft.Windows 7 Beta1 Build 7000 x86.exe
Motorola, nokia, ericsson mobil phone tools.exe
Myspace theme collection.exe
Nero 9 9.2.6.0 keygen.exe
Norton Anti-Virus 2009 Enterprise Crack.exe
Opera 9.62 International.exe
PDF password remover (works with all acrobat reader).exe
Perfect keylogger family edition with crack.exe
Power ISO v4.2 + keygen axxo.exe
Smart Draw 2008 keygen.exe
Sony Vegas Pro 8 0b Build 219.exe
Sophos antivirus updater bypass.exe
Super Utilities Pro 2009 11.0.exe
Total Commander7 license+keygen.exe
Tuneup Ultilities 2008.exe
Ultimate ring tones package1 (Beethoven,Bach, Baris Manco,Lambada,Chopin, Greensleves).exe
Ultimate ring tones package2 (Lil Wayne - Way Of Life,Khia - My Neck My Back Like My Pussy And My Crack,Mario - Let Me Love You,R. Kelly - The Worlds Greatest).exe
Ultimate ring tones package3 (Crazy In Love, U Got It Bad, 50 Cent - P.I.M.P, Jennifer Lopez Feat. Ll Cool J - All I Have, 50 Cent - 21 Question).exe
VmWare keygen.exe
Winamp.Pro.v6.53.PowerPack.Portable+installer.exe
Windows 2008 Enterprise Server VMWare Virtual Machine.exe
Windows XP PRO Corp SP3 valid-key generator.exe
Windows2008 keygen and activator.exe
WinRAR v3.x keygen RaZoR.exe
Youtube Music Downloader 1.0.exe

--Update July 01, 2009--

New variants on execution have been found to be creating its copy at the following location(s):

%WinDir%\system32\jushid.exe
%WinDir%\system32\java12.exe
%WinDir%\system32\java13.exe
%WinDir%\jvm.exe

It also creates a non-malicious file java.ini in %WinDir%.

It adds following registry entry to start itself on system startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched11 = %WinDir%\system32\jushid.exe

To bypass windows firewall it adds following registry entry:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%WinDir%\System32\jushid.exe = "%WinDir%\System32\jushid.exe:*:Enabled:Explorer"

It also adds following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\java7kernel = "07"
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\sun7micro = "01"

--------

--Update February 27, 2009--

New variant began to be spammed today.

Upon execution, it drops a copy of itself using the following filename:

%WinDir%\system32\java[2 random characters].exe

It then drops another trojan using random filename and injected to winlogon.exe and explorer.exe. This trojan is detected as Vundo.gen.w.

It then create a new task to run the dropped DLL in the following location:

%WinDir%\Tasks\[random filename].job

The following registry values are created to load the worm at system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Sun Java Updater v7.4"
Data: %WinDir%\system32\java[2 random characters].exe

This worm also terminates the following security process:

mcshield.exe

--------

W32/Xirtem@MM is a mass mailing worm that also spreads through removable media using autorun.inf, and also by copying itself to Shared folders of Peer-2-Peer applications.

Upon execution, this worm displays the following picture, to trick the user to believe that this is a harmless image file.

Meanwhile, the worm connects to "Whatismyip.com" to get the victim's IP address.

Depending on the variant, it then copies itself to the following locations:

%WinDir%\system32\vxworks.exe or
%WinDir%\system32\daemon.exe

It injects itself into multiple running processes.

Depending on the variant, it drops one or more of the following malicious files:

%WinDir%\system32\qnx.exe
%WinDir%\system32\awtustsr.dll
%WinDir%\system32\ddcBTLfd.dll
%WinDir%\system32\efcDTLEX.dll
%WinDir%\system32\kvslgsfk.dll

Some variants create a new task to run one of the dropped DLLs in the following location:

%WinDir%\Tasks\dgzqcscz.job

Some variants then launch an instance of Iexplore.exe in the background and uses it to log keystrokes to a file at the following location.

%WinDir%\drm.ocx

This instance of iexplore.exe communicates with ip-68-226-[removed]-235.tc.ph.cox.net

Certain variants also download the following malicious dlls:

APSTPLDR.DLL from http://www.zylon.net/[blocked]
kb600179.dll from 82.98.235.65

This worm spreads by copying itself into any removable media connected to the system and creates an "autorun.inf" file to execute itself whenever the device is connected to another system.

It also has mass mailing capabilities. The worm sends e-mails, attached with a copy of itself to harvested E-mail addresses on the system.

It uses the following "Subject", "Attachment Name" and "From address" combinations for these E-mails.

Subject of E-mail                                                                   | Attachment name   | From Address
--------------------------------------------------------------------------------------------------------------------
You've received A Hallmark E-Card!                                        | postcard.zip           | postcards@hallmark.com
Coca Cola is proud to announce our new Christmas Promotion. | promotion.zip         | noreply@coca-cola.com
Mcdonalds wishes you Merry Christmas!                                  | coupon.zip             | giveaway@mcdonalds.com

Some variants create SMTP connections to the following servers on various outbound ports:

205.134.188.162
211.233.80.119
212.7.64.23
217.167.29.246
64.26.62.254
dom-reg.mediaways.net
fmx.freemail.hu
imas.ahnlab.com
lb.acantho.net
mail.samba.org
mailprot.hilton.com
maxx.shmoo.com
mx.acantho.net
origin.hilton.com
persephone.instanthosting.com.au
relais-ias89.francetelecom.com
www.alinet.it
www.pacbell.net

Absolute Video Converter 6.2.exe
Acker DVD Ripper 2009.exe
Ad-aware 2008.exe
Adobe Acrobat Reader keygen.exe
Adobe Photoshop CS4 crack.exe
Alcohol 120 v1.9.7.exe
BitDefender AntiVirus 2009 Keygen.exe
CleanMyPC Registry Cleaner v6.02.exe
Daemon Tools Pro 4.11.exe
Divx Pro 6.8.0.19 + keymaker.exe
Download Accelerator Plus v8.7.5.exe
Download Boost 2.0.exe
FOOTBALL MANAGER 2009.exe
G-Force Platinum v3.7.5.exe
Google Earth Pro 4.2. with Maps and crack.exe
Half life 3 preview 10 minutes gameplay video.exe
Internet Download Manager V5.exe
Joannas Horde Leveling Guide TBC Woltk.exe
Kaspersky Internet Security 2009 keygen.exe
K-Lite codec pack 4.0 gold.exe
LimeWire Pro v4.18.3.exe
Microsoft Visual Studio 2008 KeyGen.exe
Motorola, nokia, ericsson mobil phone tools.exe
Myspace theme collection.exe
Nero 8 Ultra Edition 8.0.3.0 Full Retail.exe
Norton Anti-Virus 2009 Enterprise Crack.exe
Opera 10 cracked.exe
Password Cracker.exe
Perfect keylogger family edition with crack.exe
Power ISO v4.2 + keygen axxo.exe
Red Alert 3 keygen and trainer.exe
Silkroad Online guides and wallpapers.exe
Smart Draw 2008 keygen.exe
Sophos antivirus updater bypass.exe
Super Utilities Pro 2009 11.0.exe
TCN ISO cable modem hacking tools.exe
TCN ISO SigmaX2 firmware.bin.exe
Tuneup Ultilities 2008.exe
Ultimate ring tones package1 (Beethoven,Bach, Baris Manco,Lambada,Chopin, Greensleves).exe
Ultimate ring tones package2 (Lil Wayne - Way Of Life,Khia - My Neck My Back Like My Pussy And My Crack,Mario - Let Me Love You,R. Kelly - The Worlds Greatest).exe
Ultimate ring tones package3 (Crazy In Love, U Got It Bad, 50 Cent - P.I.M.P, Jennifer Lopez Feat. Ll Cool J - All I Have, 50 Cent - 21 Question).exe
Ultimate xxx password generator 2009.exe
VmWare keygen.exe
Winamp.Pro.v6.53.PowerPack.Portable [XmaS edition].exe
Windows 2008 Enterprise Server VMWare Virtual Machine.exe
Windows XP PRO Corp SP3 valid-key generator.exe
WinRAR v3.x keygen RaZoR.exe
Wow WoLTk keygen generator-sfx.exe
xbox360 flashing tools and guide including bricked drive fix.exe
Youtube Music Downloader 1.0.exe

It also injects malicious code into explorer.exe and opens backdoor by connecting to the following domain:

web1.ser[removed].org

The backdoor has the following functions:

restart/shutdown computer
start/stop services
start/stop keylogger
download/upload files
create/terminate/list process
perform port scanning
modify host file
spread itself by instant messenger
gather passwords that firefox, internet explorer saved
gather account information of instant messenger (msn,yahoo,miranda,aim)

Registry changes may vary according to the variant.

The following registry keys are added:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\XMAS
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{77520Q86-864L-N81R-0R2W-7U2G0P22436U}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\XMAS
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\awtustsr

The following registry values are created to load the worm at system startup

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run "QnX"
Data: %WinDir%\system32\qnx.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "QnX"
Data: %WinDir%\system32\qnx.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{77520Q86-864L-N81R-0R2W-7U2G0P22436U} "StubPath"
Data: "%WinDir%\system32\qnx.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Wind River Systems"
Data: %WinDir%\system32\vxworks.exe

Adds the following registry entires as part of its payload.

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures"
Data: no
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper "bsd"
Data: 03
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper "free"
Data: 12
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes"
Data: .zip;.rar;.cab;.txt;.exe;.reg;.msi;.htm;.html;.bat;.cmd;.pif;.scr;.mov;.mp3;.wav
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Daemon Tools"
Data: %WinDir%system32\daemon.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "e887a2ae"
Data: rundll32.exe "%WinDir%system32\kvslgsfk.dll",b

It adds the following registry key to add itself to the Firewall's Authorised applications list.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List "C:\WINDOWS\system32\vxworks.exe"
Data: %WinDir%\system32\vxworks.exe:*:Enabled:Explorer
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List "C:\WINDOWS\system32\daemon.exe"
Data: %WinDir%\system32\daemon.exe:*:Enabled:Explorer

The following registry values are modified.

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures"
Old data: yes
New data: 01, 00, 00, 00
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "ShowSuperHidden"
Old data: 00, 00, 00, 00
New data: 01, 00, 00, 00

Symptoms

Network activity on TCP port 25 due to e-mails being sent by the worm.
Presence of the files and registry entries mentioned above.

Method of Infection

This worm spreads by harvesting e-mail addresses on the infected system and e-mailing a copy of itself to these addresses.
This worm also spreads by copying itself to removable media.

Removal

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.

On Windows Vista and 7:

Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.

Variants

N/A

All Information

Overview -

W32/Xirtem@MM is a mass mailing worm that also spreads through removable media using autorun.inf, and also by copying itself to Shared folders of Peer-2-Peer applications.

Aliases

Mal/CryptBox-A (Sophos)

Trojan.Win32.Buzus.cvcz (Kaspersky)

Win32/Merond.AA (NOD32)

Worm:Win32/Prolaco.gen!C (Microsoft)

Characteristics

Characteristics -

---Updated on January 12, 2012-------

File Information -

MD5 - AD9EA226E7518973D7026522546FC02A
SHA1 - 7c16bb8d8daf1f6e5d0d73cbe0ddf7ef37a11d08

In addition to the previous malware description(s), behavior specific to the above sample have also exhibited these characteristics:

The malware adds the following keys to start dropped files upon reboot:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Chuzal"
Data: rundll32.exe "%WinDir%\mstsfd.dll",Startup
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Nokia Launch Application"
Data: %WinDir%\system32\PCSuite.exe

The malware adds the following key to allow access through the firewall:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List "%WinDir%\system32\PCSuite.exe"
Data: %WinDir%\system32\PCSuite.exe:*:Enabled:Explorer

The following files are dropped to the system:

%WinDir%\mstsfd.dll (detected as Hiloti.gen.i)
%WinDir%\system32\PCSuite.exe (detected as W32/Xirtem@MM)
%WinDir%\system32\sta-css.exe (detected as Hiloti.gen.i)
%WinDir%\system32\stat-cpe.exe (detected as BackDoor-AWQ.b)

Contact may be made with the following domains for smtp traffic:

mail.silverorange.com
nova.silverorange.com
smtp.kuzbass.net
mail.messaging.microsoft.com
pw-in-f27.1e100.net
mail.global.frontbridge.com
clementine.silverorange.com
xnacreators.net
mail.winternals.com
kemtel.ru
mailhost.sandelman.ca
4shared.com
gmail.com
about.com

------ Updated on 14-Dec-2010 ------

File Information -

MD5 - 3e41ab7c70701452d046b93f764564ec
SHA1 - 2e7b8a05e97ba1a66b47ca69db76c3c5a8a4181c

Aliases -

BitDefender - Win32.Worm.TSY
DrWeb - Trojan.AVKill.3097
Kaspersky - Trojan.Win32.Buzus.gcjo
Microsoft - VirTool:Win32/DelfInject.gen!AC

Upon execution, the Worm connects to the site "whatismyip.com" to retrieve the IP address of the victim�s machine, and connects to the domain: [removed].kathell.com

Upon execution, the Worm drops the following files into the system

%Temp%\TWAIN.LOG
%Temp%\Twain001.Mtx
%WinDir%\System32\sta-css.exe [Detected as Hiloti.gen.i]
%WinDir%\System32\stat-cpe.exe [Detected as Backdoor-AWQ.b]
%WinDir%\nlunupr.dll [Detected as Hiloti.gen.i]

And copies itself into the below mentioned location

%WinDir%\System32\Bluetooth.exe

Also, this worm spreads by copying itself into the shared folders of Peer-2-Peer Applications using the following file names.

%ProgramFiles%\LimeWire\Shared\Rapidshare Auto Downloader 3.8.exe
%ProgramFiles%\LimeWire\Shared\Trojan Killer v2.9.4173.exe
%ProgramFiles%\LimeWire\Shared\PDF to Word Converter 3.0.exe
%ProgramFiles%\LimeWire\Shared\Google SketchUp 7.1 Pro.exe
%ProgramFiles%\LimeWire\Shared\McAfee Total Protection 2010.exe
%ProgramFiles%\LimeWire\Shared\Mp3 Splitter and Joiner Pro v3.48.exe
%ProgramFiles%\LimeWire\Shared\Youtube Music Downloader 1.0.exe
%ProgramFiles%\LimeWire\Shared\Adobe Acrobat Reader keygen.exe
%ProgramFiles%\LimeWire\Shared\VmWare keygen.exe
%ProgramFiles%\LimeWire\Shared\AnyDVD HD v.6.3.1.8 Beta incl crack.exe
%ProgramFiles%\LimeWire\Shared\Ad-aware 2010.exe
%ProgramFiles%\LimeWire\Shared\BitDefender AntiVirus 2010 Keygen.exe
%ProgramFiles%\LimeWire\Shared\Norton Anti-Virus 2010 crack.exe
%ProgramFiles%\Grokster\My Grokster\Daemon Tools Pro 4.50.exe
%ProgramFiles%\Grokster\My Grokster\Download Boost 2.0.exe
%ProgramFiles%\Grokster\My Grokster\Uniblue RegistryBooster 2010.exe
%ProgramFiles%\Grokster\My Grokster\Grand Theft Auto Episodes From Liberty City 2010.exe
%ProgramFiles%\Grokster\My Grokster\Alcohol 120 v1.9.7.exe
%ProgramFiles%\Grokster\My Grokster\CleanMyPC Registry Cleaner v6.02.exe
%ProgramFiles%\Grokster\My Grokster\Super Utilities Pro 2009 11.0.exe
%ProgramFiles%\Grokster\My Grokster\Power ISO v4.2 + keygen axxo.exe
%ProgramFiles%\Morpheus\My Shared Folder\Download Accelerator Plus v9.exe
%ProgramFiles%\Morpheus\My Shared Folder\Internet Download Manager V5.exe
%ProgramFiles%\Morpheus\My Shared Folder\Myspace theme collection.exe
%ProgramFiles%\Morpheus\My Shared Folder\Nero 9 9.2.6.0 keygen.exe
%ProgramFiles%\Morpheus\My Shared Folder\Motorola, nokia, ericsson mobil phone tools.exe
%ProgramFiles%\Morpheus\My Shared Folder\AVS Video Converter v6.3.1.365 CRACKED.exe
%ProgramFiles%\Morpheus\My Shared Folder\Daemon Tools Pro 4.50.exe
%ProgramFiles%\Morpheus\My Shared Folder\Download Boost 2.0.exe
%ProgramFiles%\Morpheus\My Shared Folder\Uniblue RegistryBooster 2010.exe
%ProgramFiles%\Morpheus\My Shared Folder\Grand Theft Auto Episodes From Liberty City 2010.exe
%ProgramFiles%\Morpheus\My Shared Folder\Alcohol 120 v1.9.7.exe

The following registry keys have been added

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Hnuruyaxubexuyir
HKEY_LOCAL_MACHINE\SOFTWARE\bt1
HKEY_USERS\S-1-[varies]\Software\bt1

The following registry values have been added

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\
UACDisableNotify = 0x00000001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\
EnableLUA = 0x00000000
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Hnuruyaxubexuyir\
Pvunecolayiza =
Sxujoqoyamuk =
Kxutudevibebax = "173"
Eyaqaqojunehohi =
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ERSvc\
FailureActions =
DeleteFlag = 0x00000001
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc\
FailureActions =
DeleteFlag = 0x00000001
HKEY_USERS\S-1-5[varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\
blue1 = "12"
blue12 = "13"

The Worm registers itself as an authorized application with the Windows Firewall by adding the following value to the registry key.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%WinDir%\system32\Bluetooth.exe: "%WinDir%\system32\Bluetooth.exe:*:Enabled:Explorer"
HKEY_USERS\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Run\
BlueTooth HID = "%WinDir%\system32\Bluetooth.exe"
HKEY_USERS\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Run\
Nfuti = "rundll32.exe "%WinDir%\nlunupr.dll",Startup"

The above two registry entry confirms that, the worm registers the run entry to execute itself on every reboot.The following registry values have been modified.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc\]
"Start:" = "0x00000004"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ERSvc\]
"Start:" = "0x00000004"

The above mentioned registry entry confirms that, the worm disables the Error Reporting Service (ERSvc) and Windows Security Center Service (wscsvc).

The Worm connects to the following IP addresses to download malicious files through port 25

89.201.[removed]
[removed].recro.hr
217.198.[removed]
[removed].famatech.com
131.107.[removed]
[removed]bookmail.com
136.248.[removed]
205.248.[removed]
216.32.[removed]
65.55.[removed]
mail.[removed].frontbridge.com

Also the Worm connects to the following IP addresses through port 80

65.55.[removed]
72.233.[removed]
94.75.[removed]

The worm connects to "Whatismyip.com" to get the victim's IP address.

It also has mass mailing capabilities. The worm sends e-mails, attached with a copy of itself to harvested E-mail addresses on the system.

Email Senders:

Email Recipients:

[user's email address]

[Note : %ProgramFiles% - C:\Program Files, and %WinDir% - C:\WINDOWS]

---------

----------Updated October 26, 2010 ---------

File Information -

MD5 - ad9ea226e7518973d7026522546fc02a
SHA1 - 7c16bb8d8daf1f6e5d0d73cbe0ddf7ef37a11d08

Aliases -

DrWeb - Trojan.MulDrop1.54160
Symantec - W32.Ackantta.H@mm
Kaspersky - Trojan.Win32.Buzus.gdef
Microsoft - Trojan:Win32/Meredrop
NOD32 - Win32/Merond.O

Upon execution, the Worm connects to the site "whatismyip.com" to retrieve the IP address of the victim�s machine, and connects to the domain: [removed]da112c.coginix.org

Upon execution, the Worm drops the following files into the system

%Temp%\TWAIN.LOG
%Temp%\Twain001.Mtx
%WinDir%\System32\sta-css.exe [Detected as Hiloti.gen.i]
%WinDir%\System32\stat-cpe.exe [Detected as Backdoor-AWQ.b]
%WinDir%\slocic.dll [Detected as Hiloti.gen.i]

And copies itself into the below mentioned location

%WinDir%\System32\PCSuite.exe

Also, this worm spreads by copying itself into the shared folders of Peer-2-Peer Applications using the following file names.

%ProgramFiles%\LimeWire\Shared\PDF-XChange Pro.exe
%ProgramFiles%\LimeWire\Shared\Windows 7 Ultimate keygen.exe
%ProgramFiles%\LimeWire\Shared\RapidShare Killer AIO 2010.exe
%ProgramFiles%\LimeWire\Shared\Ashampoo Snap 3.02.exe
%ProgramFiles%\LimeWire\Shared\Blaze DVD Player Pro v6.52.exe
%ProgramFiles%\LimeWire\Shared\Adobe Illustrator CS4 crack.exe
%ProgramFiles%\LimeWire\Shared\Rapidshare Auto Downloader 3.8.exe
%ProgramFiles%\Grokster\My Grokster\Anti-Porn v13.5.12.29.exe
%ProgramFiles%\Grokster\My Grokster\Norton Internet Security 2010 crack.exe
%ProgramFiles%\Grokster\My Grokster\Kaspersky AntiVirus 2010 crack.exe
%ProgramFiles%\Grokster\My Grokster\PDF-XChange Pro.exe
%ProgramFiles%\Morpheus\My Shared Folder\Image Size Reducer Pro v1.0.1.exe
%ProgramFiles%\Morpheus\My Shared Folder\Anti-Porn v13.5.12.29.exe
%ProgramFiles%\Morpheus\My Shared Folder\Norton Internet Security 2010 crack.exe
%ProgramFiles%\Morpheus\My Shared Folder\Kaspersky AntiVirus 2010 crack.exe

The following registry keys have been added

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Hnuruyaxubexuyir
HKEY_LOCAL_MACHINE\SOFTWARE\Nokia4
HKEY_USERS\S-1-[varies]\Software\Nokia4

The following registry values have been added

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\
UACDisableNotify = 0x00000001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\
EnableLUA = 0x00000000
KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Hnuruyaxubexuyir\
Kxutudevibebax = "176"
Pvunecolayiza =
Sxujoqoyamuk =
HKEY_USERS\S-1-S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\
nok01 = "11"
nok02 = "26"

The Worm registers itself as an authorized application with the Windows Firewall by adding the following value to the registry key.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%WinDir%\system32\PCSuite.exe: "%WinDir%\system32\PCSuite.exe:*:Enabled:Explorer"
HKEY_USERS\S-1-S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Run\
Nokia Launch Application = "%WinDir%\system32\PCSuite.exe"
HKEY_USERS\S-1-S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Run\
Nfuti = "rundll32.exe "%WinDir%\slocic.dll",Startup"

The above two registry entry confirms that, the Trojan registers the run entry to execute itself on every reboot.

The following registry values have been modified.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc\]
"Start:" = "0x00000004"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ERSvc\]
"Start:" = "0x00000004"

The above mentioned registry entry confirms that, the Trojan disables the Error Reporting Service (ERSvc) and Windows Security Center Service (wscsvc).

Also, the worm connects to the following IP address to download malicious files

[removed].rev.ne.com.sg
193.41.[removed]
217.198.[removed]
mail.global.[removed].com
89.201.[removed]
207.46.[removed]
84.17.[removed]
64.26.[removed]
[removed].deploy.akamaitechnologies.com
sienna.[removed].com
[removed].deluxe.com
indigo.[removed].com
maroon.[removed].com
maila.[removed].com
cliffclavin.cs.[removed].edu
mail.metalab.[removed].edu
[removed]shared.com

The worm connects to "Whatismyip.com" to get the victim's IP address.

It also has mass mailing capabilities. The worm sends e-mails, attached with a copy of itself to harvested E-mail addresses on the system.

Email Senders:

Email Recipients:

[user's email address]

[Note : %ProgramFiles% - C:\Program Files, and %WinDir% - C:\WINDOWS]

-------------------------

--Update October 15, 2010--

When executed, the Worm connects to the site "whatismyip.com" to retrieve the IP address of the victim�s machine, and connects to the domain:

(varies).networkofart.net

The following files have been dropped into the system:

%WINDIR%\system32\hp-513.exe [Detected as Hiloti.gen.e]
%WINDIR%\kbanet40.dll (name varies) [Detected as Hiloti.gen.e]

And the drops copies of itself into the following locations:

%WINDIR%\system32\HPWuSchedv.exe [Detected as W32/Xirtem@MM]
[Removable Drive]:\RECYCLER\S-1-6-(Varies)\redmond.exe [Detected as W32/Xirtem@MM]

Also, it attempts to create an autorun.inf file on the root any accessible disk volume

[Removable Drive]:\autorun.inf

The following registry Keys have been added to the system:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Cyojileki
HKEY_LOCAL_MACHINE\SOFTWARE\HP145
HKEY_USERS\S-1-5-21-(Varies)\Software\HP145

The Worm disables the windows User Access Control (UAC) alerts by adding the following value to the registry key.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\]
UACDisableNotify="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\]
EnableLUA="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Cyojileki\]
Hdicu="168"

The Worm registers itself as an authorized application with the Windows Firewall by adding the following registry entry:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\]
%WINDIR%\system32\HPWuSchedv.exe="%WINDIR%\system32\HPWuSchedv.exe:*:Enabled:Explorer"

The following registry entries confirm that the worm execute on every time when windows start.

[HKEY_USERS\S-1-5-21-Varies\Software\Microsoft\Windows\CurrentVersion\Run\]
HP Software Updater v2.7="%WINDIR%\system32\HPWuSchedv.exe"
[HKEY_USERS\S-1-5-21-(Varies)\Software\Microsoft\Windows\CurrentVersion\Run\]
Fgoroxir="rundll32.exe "%WINDIR%\kbanet40.dll",Startup"

The following registries have been modified into the system:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ERSvc\]
Start="4"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\]
Start="4"

The above mentioned registry entries confirm that, the worm disables the Error Reporting Service (ERSvc) and Windows Security Center service (Wscsvc) respectively.

Propagation via Email:

The worm uses its own SMTP engine to send email message with a copy of itself as attachment. The email attachments may be from any of the following address.

e-cards@hallmark.com
order-update@amazon.com
resume-thanks@google.com
thomas.gimpel@ferrari.de
update@facebookmail.com
invitations@twitter.com

Example : For e-cards@hallmark.com the subject and body of the mail contains the following details.

Subject: You have received a Hallmark E-Card

Email Body:

Email Recipient: [user's email address]

The following Mutex objects have been created to ensure only one instance of the Worm is running at a time.

oleacc-msaa-loaded
6124805e

[Where %WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)]

--Update August 03, 2010--

File Information:

MD5 � 563f303249df5c583f6595f081e5dd61
SHA1 - 55bd8264a0047a0acf2f4ed1b50bde874135eb84

Aliases:

eTrust-Vet - Win32/Fruspam.EH
Kaspersky - P2P-Worm.Win32.BlackControl.d
Microsoft - Worm:Win32/Prolaco.gen!C
NOD32 - a variant of Win32/Injector.CLU
Symantec - W32.Ackantta!gen

Upon execution, the worm copies itself into the following location and connects to the IP address �220.225.[removed]� through remote port 53.

%WinDir%system32\HPWuSchd9.exe

It also injects malicious code into �svchost.exe� and opens backdoor by connecting to the IP address �202.54.[removed]� through remote port 53.

When a user uses any searches engines like Google, Yahoo or Bing etc, the browser will be redirected to the server �tetrosearch.com�.

The worm drops the following files.

%AppData%\SystemProc\lsass.exe
%ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul
%ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf
%ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest

This worm also spreads by copying itself into the shared folders of Peer-2-Peer Applications using the following file names.

(Generally, the file names used are of popular applications and their cracks/keygens)

%ProgramFiles%\LimeWire\Shared\K-Lite Mega Codec v5.5.1.exe
%ProgramFiles%\LimeWire\Shared\YouTubeGet 5.4.exe
%ProgramFiles%\LimeWire\Shared\Windows 2008 Enterprise Server VMWare Virtual Machine.exe
%ProgramFiles%\LimeWire\Shared\K-Lite Mega Codec v5.6.1 Portable.exe
%ProgramFiles%\LimeWire\Shared\WinRAR v3.x keygen RaZoR.exe
%ProgramFiles%\LimeWire\Shared\Twitter FriendAdder 2.1.1.exe
%ProgramFiles%\Grokster\My Grokster\Starcraft2 keys.txt.exe
%ProgramFiles%\Grokster\My Grokster\Starcraft2 Crack.exe
%ProgramFiles%\Grokster\My Grokster\Starcraft2 Oblivion DLL.exe
%ProgramFiles%\Grokster\My Grokster\Starcraft2.exe
%ProgramFiles%\Morpheus\My Shared Folder\Total Commander7 license+keygen.exe
%ProgramFiles%\Morpheus\My Shared Folder\LimeWire Pro v4.18.3.exe
%ProgramFiles%\Morpheus\My Shared Folder\Tuneup Ultilities 2010.exe
%ProgramFiles%\Morpheus\My Shared Folder\Kaspersky Internet Security 2010 keygen.exe
%ProgramFiles%\Morpheus\My Shared Folder\Windows XP PRO Corp SP3 valid-key generator.exe

The following registry keys have been added.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKEY_LOCAL_MACHINE\SOFTWARE\HP9
HKEY_USERS\S-1-[Varies]\Software\HP9

To bypass windows firewall it adds the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%WinDir%\System32\HPWuSchd9.exe: "%WinDir%\System32\HPWuSchd9.exe:*:Enabled:Explorer"

It adds the following registry entry to start itself on system startup:

HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Run\
HP Software Updater9 = "%WinDir%\System32\HPWuSchd9.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
RTHDBPL = "%AppData%\SystemProc\lsass.exe"

The following registry values have been added.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
UACDisableNotify = 0x00000001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
EnableLUA = 0x00000000
[HKEY_CURRENT_USER\Identities]
    Curr version = "25"
    Last Date = "Date of Execution"
    Inst Date = "Date of Execution"
    Popup count = "0"
    Popup time = "0"
    Popup date = "0"

The following registry values have been modified:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ERSvc\
Start = 0x00000004

The above mentioned registry entry confirms that, the worm disables the Error Reporting Service (ERSvc).

The following folders have been added:

%AppData%\SystemProc
%ProgramFiles%\Mozilla Firefox
%ProgramFiles%\Mozilla Firefox\extensions
%ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}
%ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome
%ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content

Symptoms:

The worm connects to "Whatismyip.com" to get the victim's IP address.
The worm connects to the following websites

sim[removed].com/update.php?sd=2010-04-27&aid=blackout
position[removed].com/update.php?sd=2010-04-27&aid=blackout
rts[removed].com/update.php?sd=2010-04-27&aid=blackout
qul[removed].com/update.php?sd=2010-04-27&aid=blackout
contro[removed].com/inst.php?aid=blackout

[Note :%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000) ,
%AppData% - C:\Documents and Settings\[UserName]\Application Data,
%ProgramFiles% - C:\Program Files]

-------------------------------------------------------------------------------------------

--Update February 10, 2010--

Upon execution, the Trojan copies itself into the following location.

%WinDir%\system32\wmimngr.exe

And drops the following file.

%WinDir%\system32\wpmgr.exe

The following registry keys have been added to the system.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WAB\Profile5]
[HKEY_USERS\S-1-5-21-1004336348-1326574676-839522115-1003\Software\Microsoft\WAB]
[HKEY_USERS\S-1-5-21-1004336348-1326574676-839522115-1003\Software\Microsoft\WAB\Profile5]

The following registry value has been added.

[HKEY_USERS\S-1-5-21-1004336348-1326574676-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Run\]
�Windows Management:� = �C:\WINDOWS\System32\wmimngr.exe�

The above mentioned registry entry confirms that, the Trojan registers the run entry to execute itself on every reboot.

The Trojan disables the windows User Access Control (UAC) alerts by adding the following value to the registry key.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\]
�UACDisableNotify:� = �0x00000001�
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\]
�EnableLUA:� = � 0x00000000�

The Trojan registers itself as an authorized application with the Windows Firewall by adding the following value to the registry key.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\]
�C:\WINDOWS\System32\wmimngr.exe:� = "C:\WINDOWS\System32\wmimngr.exe:*:Enabled:Explorer"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\]
�C:\WINDOWS\System32\wmimngr.exe:�= "C:\WINDOWS\System32\wmimngr.exe:*:Enabled:Explorer"

The following registry values have been modified.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ERSvc\]
"Start:" = "0x00000004"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc\]
"Start:" = "0x00000004"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ERSvc\]
"Start:" = "0x00000004"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\]
"Start:" = "0x00000004"

[Where %WinDir% is the Windows Directory - for example C:\Windows and %Programfiles% is C:\Program Files]

--Update July 01, 2009--

    * %WinDir%\system32\jushed.exe
    * %WinDir%\system32\java2.exe
    * %WinDir%\jvm.exe

It creates a non-malicious file java.ini in %WinDir%.

It also creates rootkit Generic rootkit.d!rootkit and DNSChanger.ad at

%WinDir%\system32\SKYNET[random].dll
%WinDir%\system32\SKYNET[random].dll
%WinDir%\system32\SKYNET[random].dat
%WinDir%\system32\drivers\SKYNE[random].sys

It adds following registry entry to start itself on system startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched10 = %WinDir%\system32\jushed.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Audio Services = %WinDir%\jvm.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{151B67MA-E28T-45KF-0O30-8801XS8WIF5J}\StubPath: "%WinDir%\jvm.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Windows Audio Services: "%WinDir%\jvm.exe"

To bypass windows firewall it adds following registry entry:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%WinDir%\System32\jushed.exe = "%WinDir%\System32\jushed.exe:*:Enabled:Explorer"

It also adds following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\java6kernel = "07"
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\sun6micro = "01"

The worm connects to "Whatismyip.com" to get the victim's IP address.

It also has mass mailing capabilities. The worm sends e-mails, attached with a copy of itself to harvested E-mail addresses on the system.

--Update July 01, 2009--

New variants on execution have been found to be creating its copy at the following location(s):

%WinDir%\system32\jushid.exe
%WinDir%\system32\java12.exe
%WinDir%\system32\java13.exe
%WinDir%\jvm.exe

It also creates a non-malicious file java.ini in %WinDir%.

It adds following registry entry to start itself on system startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched11 = %WinDir%\system32\jushid.exe

To bypass windows firewall it adds following registry entry:

It also adds following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\java7kernel = "07"
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\sun7micro = "01"

--------

--Update February 27, 2009--

New variant began to be spammed today.

Upon execution, it drops a copy of itself using the following filename:

%WinDir%\system32\java[2 random characters].exe

It then drops another trojan using random filename and injected to winlogon.exe and explorer.exe. This trojan is detected as Vundo.gen.w.

It then create a new task to run the dropped DLL in the following location:

%WinDir%\Tasks\[random filename].job

The following registry values are created to load the worm at system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Sun Java Updater v7.4"
Data: %WinDir%\system32\java[2 random characters].exe

This worm also terminates the following security process:

mcshield.exe

--------

W32/Xirtem@MM is a mass mailing worm that also spreads through removable media using autorun.inf, and also by copying itself to Shared folders of Peer-2-Peer applications.

Upon execution, this worm displays the following picture, to trick the user to believe that this is a harmless image file.

Meanwhile, the worm connects to "Whatismyip.com" to get the victim's IP address.

Depending on the variant, it then copies itself to the following locations:

%WinDir%\system32\vxworks.exe or
%WinDir%\system32\daemon.exe

It injects itself into multiple running processes.

Depending on the variant, it drops one or more of the following malicious files:

%WinDir%\system32\qnx.exe
%WinDir%\system32\awtustsr.dll
%WinDir%\system32\ddcBTLfd.dll
%WinDir%\system32\efcDTLEX.dll
%WinDir%\system32\kvslgsfk.dll

Some variants create a new task to run one of the dropped DLLs in the following location:

%WinDir%\Tasks\dgzqcscz.job

Some variants then launch an instance of Iexplore.exe in the background and uses it to log keystrokes to a file at the following location.

%WinDir%\drm.ocx

This instance of iexplore.exe communicates with ip-68-226-[removed]-235.tc.ph.cox.net

Certain variants also download the following malicious dlls:

APSTPLDR.DLL from http://www.zylon.net/[blocked]
kb600179.dll from 82.98.235.65

This worm spreads by copying itself into any removable media connected to the system and creates an "autorun.inf" file to execute itself whenever the device is connected to another system.

It also has mass mailing capabilities. The worm sends e-mails, attached with a copy of itself to harvested E-mail addresses on the system.

It uses the following "Subject", "Attachment Name" and "From address" combinations for these E-mails.

Some variants create SMTP connections to the following servers on various outbound ports:

It also injects malicious code into explorer.exe and opens backdoor by connecting to the following domain:

web1.ser[removed].org

The backdoor has the following functions:

restart/shutdown computer
start/stop services
start/stop keylogger
download/upload files
create/terminate/list process
perform port scanning
modify host file
spread itself by instant messenger
gather passwords that firefox, internet explorer saved
gather account information of instant messenger (msn,yahoo,miranda,aim)

Registry changes may vary according to the variant.

The following registry keys are added:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\XMAS
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{77520Q86-864L-N81R-0R2W-7U2G0P22436U}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\XMAS
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\awtustsr

The following registry values are created to load the worm at system startup

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run "QnX"
Data: %WinDir%\system32\qnx.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "QnX"
Data: %WinDir%\system32\qnx.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{77520Q86-864L-N81R-0R2W-7U2G0P22436U} "StubPath"
Data: "%WinDir%\system32\qnx.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Wind River Systems"
Data: %WinDir%\system32\vxworks.exe

Adds the following registry entires as part of its payload.

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures"
Data: no
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper "bsd"
Data: 03
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper "free"
Data: 12
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes"
Data: .zip;.rar;.cab;.txt;.exe;.reg;.msi;.htm;.html;.bat;.cmd;.pif;.scr;.mov;.mp3;.wav
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Daemon Tools"
Data: %WinDir%system32\daemon.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "e887a2ae"
Data: rundll32.exe "%WinDir%system32\kvslgsfk.dll",b

It adds the following registry key to add itself to the Firewall's Authorised applications list.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List "C:\WINDOWS\system32\vxworks.exe"
Data: %WinDir%\system32\vxworks.exe:*:Enabled:Explorer
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List "C:\WINDOWS\system32\daemon.exe"
Data: %WinDir%\system32\daemon.exe:*:Enabled:Explorer

The following registry values are modified.

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures"
Old data: yes
New data: 01, 00, 00, 00
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "ShowSuperHidden"
Old data: 00, 00, 00, 00
New data: 01, 00, 00, 00

Symptoms

Symptoms -

Network activity on TCP port 25 due to e-mails being sent by the worm.
Presence of the files and registry entries mentioned above.

Method of Infection

Method of Infection -

This worm spreads by harvesting e-mail addresses on the infected system and e-mailing a copy of itself to these addresses.
This worm also spreads by copying itself to removable media.

Removal -

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

On Windows Vista and 7:

Variants

Variants -

N/A

McAfee > Theat Center > Virus Detail Page

Navigation

Utility Navigation

Content

W32/Xirtem@MM

Type

SubType

Discovery Date

Length

Minimum DAT

Updated DAT

Minimum Engine

Description Added

Description Modified

Risk Assessment

Tab Navigation

Overview

Aliases

Characteristics

Symptoms

Method of Infection

Removal

Variants

Variants

All Information

Overview -

Aliases

Characteristics

Characteristics -

Symptoms

Symptoms -

Method of Infection

Method of Infection -

Removal -

Removal -

Variants

Variants -

Threat Resources

Footer