New mass-mailing worm seen in the wild

September 11, 2010

SonicWALL UTM Research team observed a new variant of Autorun worm spreading in the wild. The worm spreads through e-mails, removable storage and network shares. The e-mail campaigns contains a link which points to the Autorun worm. The email looks like below:

Link to PDF file [Mass-mailing worm]

Subject: Here you have

Email Body:
------------------------

Hello:

This is The Document I told you about,you can find it Here.http://www.{removed}/library/PDF_Document21.025542010.pdf

Please check it and reply as soon as possible.

Cheers,
------------------------

Link to WMV file [Adult Spam]

Subject: Just for you

Email Body:
------------------------

Hello:

This is The Free Dowload Sex Movies,you can find it Here.

http://www.{removed}/library/SEX21.025542010.wmv

Enjoy Your Time.

Cheers,
------------------------

Sample e-mails message looks like this:

screenshot

screenshot

If the user download and opens the file then it performs following activities on the victim's machine:

  • Network Activity:
    • It connects to members.multimania.co.uk and downloads multiple files. The malicious account hosting these files was disabled by Lycos UK.

  • File Activity:

    It creates the following files

    • C:autorun.inf
    • C:open.exe (copy of itself) - Detected as GAV: AutoRun.ICO (Worm)
    • C:{Logged on User} CV 2010.exe (copy of itself) - Detected as GAV: AutoRun.ICO (Worm)
    • %windir%autorun.inf
    • %windir%autorun2.inf
    • %windir%csrss.exe (copy of itself) - Detected as GAV: AutoRun.ICO (Worm)
    • %windir%ff.exe - Detected as GAV: Pass.A_2 (Hacktool)
    • %windir%gc.exe - Detected as GAV: NetPass.FX (Hacktool)
    • %windir%ie.exe - Detected as GAV: IEPassView.G (Hacktool)
    • %windir%im.exe - Detected as GAV: Messen.HX (Hacktool)
    • %windir%op.exe - Detected as GAV: PassView.A (Hacktool)
    • %windir%pspv.exe - Detected as GAV: PSPassView.A (Hacktool)
    • %windir%rd.exe - Detected as GAV: IEPassView.G (Hacktool)
    • %windir%re.exe - Detected as GAV: PSExec.D (Hacktool)
    • %windir%re.iq
    • %windir%{Logged on User} CV 2010.exe (copy of itself) - Detected as GAV: AutoRun.ICO (Worm)
    • %windir%tryme1.exe
    • %windir%vb.vbs - Detected as GAV: VBS.TRZ (Trojan)
    • %windir%system{Logged on User} CV 2010.exe (copy of itself) - Detected as GAV: AutoRun.ICO (Worm)
    • %windir%systemupdate.exe (copy of itself) - Detected as GAV: AutoRun.ICO (Worm)
    • %windir%system32SendEmail.dll - Detected as GAV: Sendmail.MOK (Hacktool)

    It replaces the following files

    • %windir%system32driversetchosts

    It deletes the following files

    • All .exe files on the desktop

  • Process Acitivty:

    It creates the following process in memory

    • %windir%csrss.exe
  • Registry Activity:
    • It adds HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell:"Explorer.exe C:WINDOWScsrss.exe" to ensure infection on reboot
    • It disables Windows Security Center Service by deleteing HKLMSYSTEMCurrentControlSetServiceswscsvc:Start
    • It disables Windows AutoUpdate Service by deleteing HKLMSYSTEMCurrentControlSetServiceswuauserv:Start
    • It creates multiple registry entries that intercept execution calls to processes.
      It adds the value "C:WINDOWScsrss.exe" to HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options{process}Debugger
  • Propagation:
    • It mass emails itself using the email campaigns seen above
    • It copied itself on to removable storage media as open.exe and replaces autorun.inf to launch itself
    •     screenshot

    • It copies itself on to the following locations using the vb.vbs script created
          screenshot
  • Harvesting Credentials:
    • It download multiple password harvesting tools and harvests user credentials

SonicWALL Gateway AntiVirus provides protection against this Autorun worm variant with the following signatures
GAV: AutoRun.ICO (Worm)
GAV: IEPassView.G (Hacktool)
GAV: NetPass.FX (Hacktool)
GAV: PassView.A (Hacktool)
GAV: Pass.A_2 (Hacktool)
GAV: Messen.HX (Hacktool)
GAV: PSPassView.A (Hacktool)
GAV: PsExec.D (Hacktool)
GAV: Sendmail.MOK (Hacktool)
GAV: VBS.TRZ (Trojan)

screenshot screenshot screenshot screenshot