Content

W32/Scrapkut.worm

Type
Virus
SubType
Worm
Discovery Date
03/02/2008
Length
flashx_p.exe 239,616 bytes
logservicess.exe 20,148 bytes
win32chekupdate.exe 1,107,789 bytes
windosremote.exe 3,665,995 bytes
Minimum DAT
5243 (03/03/2008)
Updated DAT
5243 (03/03/2008)
Minimum Engine
5.1.00
Description Added
03/02/2008
Description Modified
03/03/2008 5:32 AM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

--- Update March 3, 2008 --
The risk assessment of this threat was updated to Low-Profiled due to media attention.

To receive an extra.dat file for this threat please visit: https://www.webimmune.net/extra/getextra.aspx

The downloader component of the worm has the following attributes:

  • File size: 239,616 bytes
  • FileName: flashx_p.exe

Upon execution, the worm shows the following window.


Then it downloads the following files from the remote site "ifastnet.com."

  • %Windir%\logservicess.exe (420,148 bytes)
  • %Windir%\system32\maindwxp.exe (420,148 bytes)
  • %Windir%\win32chekupdate.exe (1,107,789 bytes)
  • %Windir%windosremote.exe (3,665,995 bytes)

The worm injects a thread into the process Internet Explorer and monitors accesses to orkut.com.
It sends the scraps containing the link to the "flashx_p.exe" to all contacts listed in the addressbook.

Symptoms

The worm attempts to terminate security related processes listed in the worm file. The list contains more than 700 processes.

The worm also terminates the following services:

  • Security Center
  • SharedAccess

The worm attempts to delete files under the following directories:

  • %HOMEDRIVE%\%ProgramFiles%\alwils~1\avast4\
  • %HOMEDRIVE%\%ProgramFiles%\Lavasoft\Ad-awa~1\
  • %HOMEDRIVE%\%ProgramFiles%\kasper~1\
  • %HOMEDRIVE%\%ProgramFiles%\trojan~1\
  • %HOMEDRIVE%\%ProgramFiles%\f-prot95\
  • %HOMEDRIVE%\%ProgramFiles%\tbav\
  • %HOMEDRIVE%\%ProgramFiles%\avpersonal\
  • %HOMEDRIVE%\%ProgramFiles%\Norton~1\
  • %HOMEDRIVE%\%ProgramFiles%\Mcafee\
  • %HOMEDRIVE%\%ProgramFiles%\avgamsr\
  • %HOMEDRIVE%\%ProgramFiles%\avgamsvr\
  • %HOMEDRIVE%\%ProgramFiles%\avgemc\
  • %HOMEDRIVE%\%ProgramFiles%\avgcc\
  • %HOMEDRIVE%\%ProgramFiles%\avgupsvc\
  • %HOMEDRIVE%\%ProgramFiles%\grisoft
  • %HOMEDRIVE%\%ProgramFiles%\nood32\
  • %HOMEDRIVE%\%ProgramFiles%\nod32
  • %HOMEDRIVE%\nood32\
  • %HOMEDRIVE%\%ProgramFiles%\kav\
  • %HOMEDRIVE%\%ProgramFiles%\kavmm\
  • %HOMEDRIVE%\%ProgramFiles%\kaspersky
  • %HOMEDRIVE%\%ProgramFiles%\ewidoctrl\
  • %HOMEDRIVE%\%ProgramFiles%\guard\
  • %HOMEDRIVE%\%ProgramFiles%\ewido\
  • %HOMEDRIVE%\%ProgramFiles%\pavprsrv\
  • %HOMEDRIVE%\%ProgramFiles%\pavprot\
  • %HOMEDRIVE%\%ProgramFiles%\avengine\
  • %HOMEDRIVE%\%ProgramFiles%\apvxdwin\
  • %HOMEDRIVE%\%ProgramFiles%\webproxy\
  • %HOMEDRIVE%\%ProgramFiles%\panda software\
  • %HOMEDRIVE%\%ProgramFiles%\ewidoa~1\
  • %HOMEDRIVE%\%ProgramFiles%\ESET\

The worm modifies the following registry keys:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center
    FirewallDisableNotify =4
    AntiVirusDisableNotify = 4
    AntiVirusOverride = 4
    FirewallDisableNotify =4
    FirewallOverrideFirst =4
    RunDisabled =4
    UpdatesDisableNotify = 4

The worm sets "Start" keys to the value "4" under the following services keys:

  •  Amon
  •  Apvxd
  •  Apvxdwin
  •  Atrack
  •  AvconsoleEXE
  •  AVG_CC
  •  avgcc32
  •  avgserv9
  •  AVPCC
  •  AVPCC Service
  •  BlackIce Utility
  •  CcApp
  •  CcRegVfy
  •  ConfigSafe
  •  CPD_EXE
  •  Defwatch
  •  dvpapi9x
  •  Fix-it
  •  Fix-it AV
  •  Freedom
  •  F-StopW
  •  iamapp
  •  Look 'n' Stop
  •  McAfee Firewall
  •  McAfee Winguage
  •  McAfee.InstantUpdate.Monitor
  •  McAfeeVirusScanService
  •  NAV Agent
  •  NAV Configuration Wizard
  •  NAV DefAlert
  •  Nod32CC
  •  NOD32POP3
  •  Norton Auto-Protect
  •  Norton eMail Protect
  •  Norton Navigaton Loader
  •  Norton Program Event Checker
  •  Norton Program Scheduler
  •  NPS Event Checker
  •  Panda Scheduler
  •  ScanInicio
  •  SymTray - Norton SystemWorks
  •  Tiny Personal Firewall
  •  TrueVector
  •  VirusScan Online
  •  ZoneAlarm

Those services keys are located under the following keys:

  •  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
  •  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
  •  HKEY_LOCAL_MACHINE\SYSTEM\Controlset002\Services

Method of Infection

The worm attempts to spread itself by sending orkut users scraps that contains the link to the worm itself.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

The worm attempts to spread itself by sending orkut users scraps that contains the link to the worm itself.

Aliases

  • Downloader.Banload.ONK (GRISoft)
  • TR/Dldr.Orkut.A (Avira)
  • Trojan-Downloader.Win32.Banload.auf (IKARUS)
  • Trojan.DL.Win32.Banload.dzm (Rising)
  • W32.Scrapkut (Symantec)

Characteristics

Characteristics -

--- Update March 3, 2008 --
The risk assessment of this threat was updated to Low-Profiled due to media attention.

To receive an extra.dat file for this threat please visit: https://www.webimmune.net/extra/getextra.aspx

The downloader component of the worm has the following attributes:

  • File size: 239,616 bytes
  • FileName: flashx_p.exe

Upon execution, the worm shows the following window.


Then it downloads the following files from the remote site "ifastnet.com."

  • %Windir%\logservicess.exe (420,148 bytes)
  • %Windir%\system32\maindwxp.exe (420,148 bytes)
  • %Windir%\win32chekupdate.exe (1,107,789 bytes)
  • %Windir%windosremote.exe (3,665,995 bytes)

The worm injects a thread into the process Internet Explorer and monitors accesses to orkut.com.
It sends the scraps containing the link to the "flashx_p.exe" to all contacts listed in the addressbook.

Symptoms

Symptoms -

The worm attempts to terminate security related processes listed in the worm file. The list contains more than 700 processes.

The worm also terminates the following services:

  • Security Center
  • SharedAccess

The worm attempts to delete files under the following directories:

  • %HOMEDRIVE%\%ProgramFiles%\alwils~1\avast4\
  • %HOMEDRIVE%\%ProgramFiles%\Lavasoft\Ad-awa~1\
  • %HOMEDRIVE%\%ProgramFiles%\kasper~1\
  • %HOMEDRIVE%\%ProgramFiles%\trojan~1\
  • %HOMEDRIVE%\%ProgramFiles%\f-prot95\
  • %HOMEDRIVE%\%ProgramFiles%\tbav\
  • %HOMEDRIVE%\%ProgramFiles%\avpersonal\
  • %HOMEDRIVE%\%ProgramFiles%\Norton~1\
  • %HOMEDRIVE%\%ProgramFiles%\Mcafee\
  • %HOMEDRIVE%\%ProgramFiles%\avgamsr\
  • %HOMEDRIVE%\%ProgramFiles%\avgamsvr\
  • %HOMEDRIVE%\%ProgramFiles%\avgemc\
  • %HOMEDRIVE%\%ProgramFiles%\avgcc\
  • %HOMEDRIVE%\%ProgramFiles%\avgupsvc\
  • %HOMEDRIVE%\%ProgramFiles%\grisoft
  • %HOMEDRIVE%\%ProgramFiles%\nood32\
  • %HOMEDRIVE%\%ProgramFiles%\nod32
  • %HOMEDRIVE%\nood32\
  • %HOMEDRIVE%\%ProgramFiles%\kav\
  • %HOMEDRIVE%\%ProgramFiles%\kavmm\
  • %HOMEDRIVE%\%ProgramFiles%\kaspersky
  • %HOMEDRIVE%\%ProgramFiles%\ewidoctrl\
  • %HOMEDRIVE%\%ProgramFiles%\guard\
  • %HOMEDRIVE%\%ProgramFiles%\ewido\
  • %HOMEDRIVE%\%ProgramFiles%\pavprsrv\
  • %HOMEDRIVE%\%ProgramFiles%\pavprot\
  • %HOMEDRIVE%\%ProgramFiles%\avengine\
  • %HOMEDRIVE%\%ProgramFiles%\apvxdwin\
  • %HOMEDRIVE%\%ProgramFiles%\webproxy\
  • %HOMEDRIVE%\%ProgramFiles%\panda software\
  • %HOMEDRIVE%\%ProgramFiles%\ewidoa~1\
  • %HOMEDRIVE%\%ProgramFiles%\ESET\

The worm modifies the following registry keys:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center
    FirewallDisableNotify =4
    AntiVirusDisableNotify = 4
    AntiVirusOverride = 4
    FirewallDisableNotify =4
    FirewallOverrideFirst =4
    RunDisabled =4
    UpdatesDisableNotify = 4

The worm sets "Start" keys to the value "4" under the following services keys:

  •  Amon
  •  Apvxd
  •  Apvxdwin
  •  Atrack
  •  AvconsoleEXE
  •  AVG_CC
  •  avgcc32
  •  avgserv9
  •  AVPCC
  •  AVPCC Service
  •  BlackIce Utility
  •  CcApp
  •  CcRegVfy
  •  ConfigSafe
  •  CPD_EXE
  •  Defwatch
  •  dvpapi9x
  •  Fix-it
  •  Fix-it AV
  •  Freedom
  •  F-StopW
  •  iamapp
  •  Look 'n' Stop
  •  McAfee Firewall
  •  McAfee Winguage
  •  McAfee.InstantUpdate.Monitor
  •  McAfeeVirusScanService
  •  NAV Agent
  •  NAV Configuration Wizard
  •  NAV DefAlert
  •  Nod32CC
  •  NOD32POP3
  •  Norton Auto-Protect
  •  Norton eMail Protect
  •  Norton Navigaton Loader
  •  Norton Program Event Checker
  •  Norton Program Scheduler
  •  NPS Event Checker
  •  Panda Scheduler
  •  ScanInicio
  •  SymTray - Norton SystemWorks
  •  Tiny Personal Firewall
  •  TrueVector
  •  VirusScan Online
  •  ZoneAlarm

Those services keys are located under the following keys:

  •  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
  •  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
  •  HKEY_LOCAL_MACHINE\SYSTEM\Controlset002\Services

Method of Infection

Method of Infection -

The worm attempts to spread itself by sending orkut users scraps that contains the link to the worm itself.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A