Content

W32/DuckTest.worm

Type
Virus
SubType
Worm
Discovery Date
03/13/2003
Length
15,872 bytes
Minimum DAT
4253 (03/19/2003)
Updated DAT
4253 (03/19/2003)
Minimum Engine
5.1.00
Description Added
03/13/2003
Description Modified
03/13/2003 3:53 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This worm spreads via open network shares. It does not spread via email. The worm poses as an "HTTP Strees Check" to "Test for DoS". It downloads and executes a file from a Geocities user page (it is currently downloading the W32/Yaha.q@MM worm), and contains a payload to send many print jobs to the printer.

When the worm is run, it checks the filename that was executed. If the name is something other than WINQAK32.EXE, then it displays a Window:

This "tool" simply performs multiple DNS lookups for the entered domain. In the background, the worm creates the following registry key:
  • HKEY_LOCAL_MACHINE\Software\Microsoft\PkF--k (censored)
It copies itself to the WINDOWS SYSTEM (%SysDir%) directory as WINQAK32.EXE and creates a registry run key to load itself at system startup:
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run "WinQak32" = C:\WINDOWS\SYSTEM\WinQak32.exe
Upon reboot, the worm is run with the WINQAK32.EXE filename, and the worm checks for an internet connection by performing a DNS lookup for YAHOO.COM. If that request is successful, the worm downloads a file named AAA.ZIP from a Geocities user page.
The file is saved locally as SH(censored)TS4U.EXE and run. At the time of this writing the file was the W32/Yaha.q@MM worm. If this action is successful, the worm removes the registry run key that it created.

The worm attempts to connect to network shares that use the following names:

  • WIN
  • WIN95
  • WIN98
  • WINDOWS
  • WINME
  • WINNT
  • WINXP
It copies itself to the share as WINQAK32.EXE and creates a WIN.INI key value to load the worm at startup:
  • run=WINQAK32.EXE
It also looks to copy itself to the following folder:
  • Documents and Settings\All Users\Start Menu\Programs\Startup

Symptoms

Presence of the following files:

  • WINQAK32.EXE
  • SH(censored)TS4U.EXE

Method of Infection

This worm spreads via NetBIOS, copying itself to accessible network shares. It also downloads and executes a remote file every few minutes, and sends multiple print jobs to your printer.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

This worm spreads via open network shares. It does not spread via email. The worm poses as an "HTTP Strees Check" to "Test for DoS". It downloads and executes a file from a Geocities user page (it is currently downloading the W32/Yaha.q@MM worm), and contains a payload to send many print jobs to the printer.

When the worm is run, it checks the filename that was executed. If the name is something other than WINQAK32.EXE, then it displays a Window:

This "tool" simply performs multiple DNS lookups for the entered domain. In the background, the worm creates the following registry key:
  • HKEY_LOCAL_MACHINE\Software\Microsoft\PkF--k (censored)
It copies itself to the WINDOWS SYSTEM (%SysDir%) directory as WINQAK32.EXE and creates a registry run key to load itself at system startup:
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run "WinQak32" = C:\WINDOWS\SYSTEM\WinQak32.exe
Upon reboot, the worm is run with the WINQAK32.EXE filename, and the worm checks for an internet connection by performing a DNS lookup for YAHOO.COM. If that request is successful, the worm downloads a file named AAA.ZIP from a Geocities user page.
The file is saved locally as SH(censored)TS4U.EXE and run. At the time of this writing the file was the W32/Yaha.q@MM worm. If this action is successful, the worm removes the registry run key that it created.

The worm attempts to connect to network shares that use the following names:

  • WIN
  • WIN95
  • WIN98
  • WINDOWS
  • WINME
  • WINNT
  • WINXP
It copies itself to the share as WINQAK32.EXE and creates a WIN.INI key value to load the worm at startup:
  • run=WINQAK32.EXE
It also looks to copy itself to the following folder:
  • Documents and Settings\All Users\Start Menu\Programs\Startup

Symptoms

Symptoms -

Presence of the following files:

  • WINQAK32.EXE
  • SH(censored)TS4U.EXE

Method of Infection

Method of Infection -

This worm spreads via NetBIOS, copying itself to accessible network shares. It also downloads and executes a remote file every few minutes, and sends multiple print jobs to your printer.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A