Content

Spy-Wokiscan

Type
Trojan
SubType
Win32
Discovery Date
08/20/2007
Length
varies
Minimum DAT
5102 (08/21/2007)
Updated DAT
5102 (08/21/2007)
Minimum Engine
5.1.00
Description Added
08/20/2007
Description Modified
08/21/2007 8:00 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

The Spy-Wokiscan trojan executes the main Woron Scan SIM card scanner program but also attempts to drop additional malicious files that may perform one of the following actions:

  • Hooks the registry to start itself upon reboot
  • Changes local computer security policy such as firewalls
  • Attempts to send email messages via various SMTP gateways
  • Several files are dropped upon installation
  • Creates several log files

Upon execution, the following files are dropped:

  • %WinDir%\mui\olefx.dll  (contains victim's computer information)
  • %WinDir%\mui\rctfd.sys (logfile for trojan activity)
  • %WinDir%\calc.exe (detected as Spy-Wokiscan)
  • %WinDir%\lsassv.exe (detected as Spy-Wokiscan)
  • %WinDir%\msrpc.exe (detected as Spy-Wokiscan)
  • %WinDir%\servicew.exe (detected as Spy-Wokiscan)
  • %WinDir%\syswin.exe (detected as Spy-Wokiscan)
  • %WinDir%\woron_scan_1.09_eng.exe (Woron scanner program)

(Where %Windir% is the Windows folder; e.g. C:\Windows)

The following registry keys are added:

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\
    AuthorizedApplications\List\c:\windows\servicew.exe: "c:\windows\servicew.exe:*:Enabled:System Update"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\msrpc: "c:\windows\msrpc.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\syswin: "c:\windows\syswin.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\syswin: "c:\windows\syswin.exe"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\syswin\ImagePath: "c:\windows\syswin.exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\syswin: "c:\windows\syswin.exe"
  • HKEY_CURRENT_USER\S-1-5-21-790525478-1682526488-1202660629-500\Software\Microsoft\Windows\CurrentVersion\Run\
    lsassv: "c:\windows\lsassv.exe"

Attempts to use the following SMTP gateways for emailing:

  • 194.67.23.11 (smtp.mail.ru)
  • 81.19.66.20 (mail.rambler.ru)
  • 217.12.11.66 (smtp1.mail.vip.ukl.yahoo.com)

Symptoms

  • Existence of registry keys and files from the Characteristics section
  • Outbound network connection via the SMTP port

 

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

The Spy-Wokiscan takes a SIM card scanning tool called Woron Scan then repackages it with some additional trojan files that is intended to steal information from the victim's computer.

Characteristics

Characteristics -

The Spy-Wokiscan trojan executes the main Woron Scan SIM card scanner program but also attempts to drop additional malicious files that may perform one of the following actions:

  • Hooks the registry to start itself upon reboot
  • Changes local computer security policy such as firewalls
  • Attempts to send email messages via various SMTP gateways
  • Several files are dropped upon installation
  • Creates several log files

Upon execution, the following files are dropped:

  • %WinDir%\mui\olefx.dll  (contains victim's computer information)
  • %WinDir%\mui\rctfd.sys (logfile for trojan activity)
  • %WinDir%\calc.exe (detected as Spy-Wokiscan)
  • %WinDir%\lsassv.exe (detected as Spy-Wokiscan)
  • %WinDir%\msrpc.exe (detected as Spy-Wokiscan)
  • %WinDir%\servicew.exe (detected as Spy-Wokiscan)
  • %WinDir%\syswin.exe (detected as Spy-Wokiscan)
  • %WinDir%\woron_scan_1.09_eng.exe (Woron scanner program)

(Where %Windir% is the Windows folder; e.g. C:\Windows)

The following registry keys are added:

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\
    AuthorizedApplications\List\c:\windows\servicew.exe: "c:\windows\servicew.exe:*:Enabled:System Update"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\msrpc: "c:\windows\msrpc.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\syswin: "c:\windows\syswin.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\syswin: "c:\windows\syswin.exe"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\syswin\ImagePath: "c:\windows\syswin.exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\syswin: "c:\windows\syswin.exe"
  • HKEY_CURRENT_USER\S-1-5-21-790525478-1682526488-1202660629-500\Software\Microsoft\Windows\CurrentVersion\Run\
    lsassv: "c:\windows\lsassv.exe"

Attempts to use the following SMTP gateways for emailing:

  • 194.67.23.11 (smtp.mail.ru)
  • 81.19.66.20 (mail.rambler.ru)
  • 217.12.11.66 (smtp1.mail.vip.ukl.yahoo.com)

Symptoms

Symptoms -

  • Existence of registry keys and files from the Characteristics section
  • Outbound network connection via the SMTP port

 

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A