Content

W32/Caffer@MM

Type
Virus
SubType
Email Worm
Discovery Date
02/21/2008
Length
Minimum DAT
5235 (02/21/2008)
Updated DAT
5235 (02/21/2008)
Minimum Engine
5.1.00
Description Added
02/21/2008
Description Modified
02/21/2008 1:48 PM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update February 21, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.repubblica.it/2008/02/sezioni/cronaca/truffa-mail/truffa-mail/truffa-mail.html

An English translation is available here

--

The malware is compressed with Npack in order to protect its behaviour from too interested eyes. As soon as the decoding process is completed, the malware will proceed in adding the following registry values.


  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\domains\co****str**a.com\(default) = ""
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\domains\co****str**a.com\www\(default) = ""
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\domains\co****str**a.com\www\* = 2
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\(default) = ""
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1001 = 0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1004 = 0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1200 = 0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1201 = 0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1400 = 0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1402 = 0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1405 = 0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1406 = 0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1407 = 0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1609 = 1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1800 = 0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1803 = 0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\CurrentLevel = 0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\MinLevel = 0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\RecommendedLevel = 0

After this, the malware will retrieve the data POP3 server, SMTP server, POP3 User name and SMTP Email address. After this operation, the malware will create the folders:


  • C:\Windows\System32\3ComNet
  • C:\Windows\System32\3ComNet\Service

and will modify their attributes to make them hidden. It will then copy itself as C:\Windows\System32\3ComNet\service\svcnost.exe and add the following registry key to make sure that the malware will get spawned every time that the user logs on:


  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\svcnost.exe - c:\windows\system32\3ComNet\service\svcnost.exe

The malware will then download additional malware from http://www.co****str***.com and will save it as:

  • C:\system.exe

Such malware is then immediately executed, and is already detected by McAfee. In addition to this, the malware will spawn the copy of itself stored under C:\Windows\System32\3ComNet\service and then delete itself from disk. The copy of itself that has just been started, however will download the required data (body.txt and subject.txt) to start its spam operations and proceed in doing so.



Symptoms

  • unexpected network behaviour
  • presence of hidden directory c:\windows\system32\3ComNet\service
  • presence of process svcnost.exe
  • presence of file c:\windows\system32\3ComNet\service\svcnost.exe
  • antivirus and firewall prompting the user for suspicious files and network activity

Method of Infection

Executing the file hosted on the website linked in the malicious email will initiate the malicious behaviour. Additionally, users with low security settings may be infected by just visiting the malicious website.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

-- Update February 21, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.repubblica.it/2008/02/sezioni/cronaca/truffa-mail/truffa-mail/truffa-mail.html

An English translation is available here

--

W32/Caffer@MM is a mass mailer with downloading capabilities.

Characteristics

Characteristics -

-- Update February 21, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.repubblica.it/2008/02/sezioni/cronaca/truffa-mail/truffa-mail/truffa-mail.html

An English translation is available here

--

The malware is compressed with Npack in order to protect its behaviour from too interested eyes. As soon as the decoding process is completed, the malware will proceed in adding the following registry values.


  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\domains\co****str**a.com\(default) = ""
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\domains\co****str**a.com\www\(default) = ""
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\domains\co****str**a.com\www\* = 2
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\(default) = ""
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1001 = 0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1004 = 0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1200 = 0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1201 = 0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1400 = 0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1402 = 0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1405 = 0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1406 = 0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1407 = 0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1609 = 1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1800 = 0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1803 = 0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\CurrentLevel = 0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\MinLevel = 0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\RecommendedLevel = 0

After this, the malware will retrieve the data POP3 server, SMTP server, POP3 User name and SMTP Email address. After this operation, the malware will create the folders:


  • C:\Windows\System32\3ComNet
  • C:\Windows\System32\3ComNet\Service

and will modify their attributes to make them hidden. It will then copy itself as C:\Windows\System32\3ComNet\service\svcnost.exe and add the following registry key to make sure that the malware will get spawned every time that the user logs on:


  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\svcnost.exe - c:\windows\system32\3ComNet\service\svcnost.exe

The malware will then download additional malware from http://www.co****str***.com and will save it as:

  • C:\system.exe

Such malware is then immediately executed, and is already detected by McAfee. In addition to this, the malware will spawn the copy of itself stored under C:\Windows\System32\3ComNet\service and then delete itself from disk. The copy of itself that has just been started, however will download the required data (body.txt and subject.txt) to start its spam operations and proceed in doing so.



Symptoms

Symptoms -

  • unexpected network behaviour
  • presence of hidden directory c:\windows\system32\3ComNet\service
  • presence of process svcnost.exe
  • presence of file c:\windows\system32\3ComNet\service\svcnost.exe
  • antivirus and firewall prompting the user for suspicious files and network activity

Method of Infection

Method of Infection -

Executing the file hosted on the website linked in the malicious email will initiate the malicious behaviour. Additionally, users with low security settings may be infected by just visiting the malicious website.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A