Content

W32/Xirtem@MM

Type
Virus
SubType
Worm
Discovery Date
12/03/2008
Length
varies
Minimum DAT
5453 (12/03/2008)
Updated DAT
5664 (07/02/2009)
Minimum Engine
5.2.00
Description Added
12/03/2008
Description Modified
07/01/2009 5:46 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

--Update July 01, 2009--

The new variant is discovered to use the topic of Michael Jackson's death. The file is called "Michael Jackson songs and pictures.doc.exe".
Upon execution, it copies itself to the following location(s):

    * %WinDir%\system32\jushed.exe
    * %WinDir%\system32\java2.exe
    * %WinDir%\jvm.exe

It creates a non-malicious file java.ini in %WinDir%.

It also creates rootkit Generic rootkit.d!rootkit and DNSChanger.ad at

  • %WinDir%\system32\SKYNET[random].dll
  • %WinDir%\system32\SKYNET[random].dll
  • %WinDir%\system32\SKYNET[random].dat
  • %WinDir%\system32\drivers\SKYNE[random].sys

It adds following registry entry to start itself on system startup:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched10 = %WinDir%\system32\jushed.exe
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Audio Services = %WinDir%\jvm.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{151B67MA-E28T-45KF-0O30-8801XS8WIF5J}\StubPath: "%WinDir%\jvm.exe"
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Windows Audio Services: "%WinDir%\jvm.exe"

To bypass windows firewall it adds following registry entry:

  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%WinDir%\System32\jushed.exe = "%WinDir%\System32\jushed.exe:*:Enabled:Explorer"


It also adds following registry entries:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\java6kernel = "07"
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\sun6micro = "01"


The worm connects to "Whatismyip.com" to get the victim's IP address.

It also has mass mailing capabilities. The worm sends e-mails, attached with a copy of itself to harvested E-mail addresses on the system.

This worm also spreads by copying itself into the shared folders of Peer-2-Peer Applications using the following file names.
(Generally, the file names used are of popular applications and their cracks/keygens)

Absolute Video Converter 6.2.exe
Ad-aware 2009.exe
Adobe Acrobat Reader keygen.exe
Adobe Photoshop CS4 crack.exe
Alcohol 120 v1.9.7.exe
AnyDVD HD v.6.3.1.8 Beta incl crack.exe
Avast 4.8 Professional.exe
AVS video converter6.exe
BitDefender AntiVirus 2009 Keygen.exe
CheckPoint ZoneAlarm And AntiSpy.exe
CleanMyPC Registry Cleaner v6.02.exe
Daemon Tools Pro 4.11.exe
Divx Pro 6.8.0.19 + keymaker.exe
Download Accelerator Plus v8.7.5.exe
Download Boost 2.0.exe
DVD Tools Nero 9 2 6 0.exe
G-Force Platinum v3.7.5.exe
Google Earth Pro 4.2. with Maps and crack.exe
Grand Theft Auto IV (Offline Activation).exe
Internet Download Manager V5.exe
K-Lite codec pack 3.10 full.exe
K-Lite codec pack 4.0 gold.exe
Kaspersky Internet Security 2009 keygen.exe
LimeWire Pro v4.18.3.exe
Magic Video Converter 8 0 2 18.exe
Microsoft Office 2007 Home and Student keygen.exe
Microsoft Visual Studio 2008 KeyGen.exe
Microsoft.Windows 7 Beta1 Build 7000 x86.exe
Motorola, nokia, ericsson mobil phone tools.exe
Myspace theme collection.exe
Nero 9 9.2.6.0 keygen.exe
Norton Anti-Virus 2009 Enterprise Crack.exe
Opera 9.62 International.exe
PDF password remover (works with all acrobat reader).exe
Perfect keylogger family edition with crack.exe
Power ISO v4.2 + keygen axxo.exe
Smart Draw 2008 keygen.exe
Sony Vegas Pro 8 0b Build 219.exe
Sophos antivirus updater bypass.exe
Super Utilities Pro 2009 11.0.exe
Total Commander7 license+keygen.exe
Tuneup Ultilities 2008.exe
Ultimate ring tones package1 (Beethoven,Bach, Baris Manco,Lambada,Chopin, Greensleves).exe
Ultimate ring tones package2 (Lil Wayne - Way Of Life,Khia - My Neck My Back Like My Pussy And My Crack,Mario - Let Me Love You,R. Kelly - The Worlds Greatest).exe
Ultimate ring tones package3 (Crazy In Love, U Got It Bad, 50 Cent - P.I.M.P, Jennifer Lopez Feat. Ll Cool J - All I Have, 50 Cent - 21 Question).exe
VmWare keygen.exe
Winamp.Pro.v6.53.PowerPack.Portable+installer.exe
Windows 2008 Enterprise Server VMWare Virtual Machine.exe
Windows XP PRO Corp SP3 valid-key generator.exe
Windows2008 keygen and activator.exe
WinRAR v3.x keygen RaZoR.exe
Youtube Music Downloader 1.0.exe

 

--Update July 01, 2009--

New variants on execution have been found to be creating its copy at the following location(s):

  • %WinDir%\system32\jushid.exe
  • %WinDir%\system32\java12.exe
  • %WinDir%\system32\java13.exe
  • %WinDir%\jvm.exe

It also creates a non-malicious file java.ini in %WinDir%.

It adds following registry entry to start itself on system startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched11 = %WinDir%\system32\jushid.exe

To bypass windows firewall it adds following registry entry:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%WinDir%\System32\jushid.exe = "%WinDir%\System32\jushid.exe:*:Enabled:Explorer"

It also adds following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\java7kernel = "07" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\sun7micro = "01" 

--------

--Update February 27, 2009--

New variant began to be spammed today.

Upon execution, it drops a copy of itself using the following filename:

  • %WinDir%\system32\java[2 random characters].exe

It then drops another trojan using random filename and injected to winlogon.exe and explorer.exe. This trojan is detected as Vundo.gen.w.

It then create a new task to run the dropped DLL in the following location:

  • %WinDir%\Tasks\[random filename].job

The following registry values are created to load the worm at system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Sun Java Updater v7.4"
Data: %WinDir%\system32\java[2 random characters].exe

This worm also terminates the following security process:

  • mcshield.exe

--------

W32/Xirtem@MM is a mass mailing worm that also spreads through removable media using autorun.inf, and also by copying itself to Shared folders of Peer-2-Peer applications.

Upon execution, this worm displays the following picture, to trick the user to believe that this is a harmless image file.

                                                                

Meanwhile, the worm connects to "Whatismyip.com" to get the victim's IP address.

Depending on the variant, it then copies itself to the following locations:

  • %WinDir%\system32\vxworks.exe or
  • %WinDir%\system32\daemon.exe 

It injects itself into multiple running processes.

Depending on the variant, it drops one or more of the following malicious files:

  • %WinDir%\system32\qnx.exe
  • %WinDir%\system32\awtustsr.dll
  • %WinDir%\system32\ddcBTLfd.dll
  • %WinDir%\system32\efcDTLEX.dll
  • %WinDir%\system32\kvslgsfk.dll

Some variants create a new task to run one of the dropped DLLs in the following location:

  • %WinDir%\Tasks\dgzqcscz.job

Some variants then launch an instance of Iexplore.exe in the background and uses it to log keystrokes to a file at the following location.

  • %WinDir%\drm.ocx

This instance of iexplore.exe communicates with ip-68-226-[removed]-235.tc.ph.cox.net

Certain variants also download the following malicious dlls:

  • APSTPLDR.DLL from http://www.zylon.net/[blocked]
  • kb600179.dll from 82.98.235.65

This worm spreads by copying itself into any removable media connected to the system and creates an "autorun.inf" file to execute itself whenever the device is connected to another system.

It also has mass mailing capabilities. The worm sends e-mails, attached with a copy of itself to harvested E-mail addresses on the system.

It uses the following "Subject", "Attachment Name" and "From address" combinations for these E-mails.

Subject of E-mail                                                                   | Attachment name   | From Address
--------------------------------------------------------------------------------------------------------------------
You've received A Hallmark E-Card!                                        | postcard.zip           | postcards@hallmark.com
Coca Cola is proud to announce our new Christmas Promotion. | promotion.zip         | noreply@coca-cola.com
Mcdonalds wishes you Merry Christmas!                                  | coupon.zip             | giveaway@mcdonalds.com

                          

                                    

Some variants create SMTP connections to the following servers on various outbound ports:

205.134.188.162
211.233.80.119
212.7.64.23
217.167.29.246
64.26.62.254
dom-reg.mediaways.net
fmx.freemail.hu
imas.ahnlab.com
lb.acantho.net
mail.samba.org
mailprot.hilton.com
maxx.shmoo.com
mx.acantho.net
origin.hilton.com
persephone.instanthosting.com.au
relais-ias89.francetelecom.com
www.alinet.it 
www.pacbell.net

This worm also spreads by copying itself into the shared folders of Peer-2-Peer Applications using the following file names.
(Generally, the file names used are of popular applications and their cracks/keygens)

Absolute Video Converter 6.2.exe
Acker DVD Ripper 2009.exe
Ad-aware 2008.exe
Adobe Acrobat Reader keygen.exe
Adobe Photoshop CS4 crack.exe
Alcohol 120 v1.9.7.exe
BitDefender AntiVirus 2009 Keygen.exe
CleanMyPC Registry Cleaner v6.02.exe
Daemon Tools Pro 4.11.exe
Divx Pro 6.8.0.19 + keymaker.exe
Download Accelerator Plus v8.7.5.exe
Download Boost 2.0.exe
FOOTBALL MANAGER 2009.exe
G-Force Platinum v3.7.5.exe
Google Earth Pro 4.2. with Maps and crack.exe
Half life 3 preview 10 minutes gameplay video.exe
Internet Download Manager V5.exe
Joannas Horde Leveling Guide TBC Woltk.exe
Kaspersky Internet Security 2009 keygen.exe
K-Lite codec pack 4.0 gold.exe
LimeWire Pro v4.18.3.exe
Microsoft Visual Studio 2008 KeyGen.exe
Motorola, nokia, ericsson mobil phone tools.exe
Myspace theme collection.exe
Nero 8 Ultra Edition 8.0.3.0 Full Retail.exe
Norton Anti-Virus 2009 Enterprise Crack.exe
Opera 10 cracked.exe
Password Cracker.exe
Perfect keylogger family edition with crack.exe
Power ISO v4.2 + keygen axxo.exe
Red Alert 3 keygen and trainer.exe
Silkroad Online guides and wallpapers.exe
Smart Draw 2008 keygen.exe
Sophos antivirus updater bypass.exe
Super Utilities Pro 2009 11.0.exe
TCN ISO cable modem hacking tools.exe
TCN ISO SigmaX2 firmware.bin.exe
Tuneup Ultilities 2008.exe
Ultimate ring tones package1 (Beethoven,Bach, Baris Manco,Lambada,Chopin, Greensleves).exe
Ultimate ring tones package2 (Lil Wayne - Way Of Life,Khia - My Neck My Back Like My Pussy And My Crack,Mario - Let Me Love You,R. Kelly - The Worlds Greatest).exe
Ultimate ring tones package3 (Crazy In Love, U Got It Bad, 50 Cent - P.I.M.P, Jennifer Lopez Feat. Ll Cool J - All I Have, 50 Cent - 21 Question).exe
Ultimate xxx password generator 2009.exe
VmWare keygen.exe
Winamp.Pro.v6.53.PowerPack.Portable [XmaS edition].exe
Windows 2008 Enterprise Server VMWare Virtual Machine.exe
Windows XP PRO Corp SP3 valid-key generator.exe
WinRAR v3.x keygen RaZoR.exe
Wow WoLTk keygen generator-sfx.exe
xbox360 flashing tools and guide including bricked drive fix.exe
Youtube Music Downloader 1.0.exe

It also injects malicious code into explorer.exe and opens backdoor by connecting to the following domain:

  • web1.ser[removed].org

The backdoor has the following functions:

  • restart/shutdown computer
  • start/stop services
  • start/stop keylogger
  • download/upload files
  • create/terminate/list process
  • perform port scanning
  • modify host file
  • spread itself by instant messenger
  • gather passwords that firefox, internet explorer saved
  • gather account information of instant messenger (msn,yahoo,miranda,aim)

Registry changes may vary according to the variant.

The following registry keys are added:

  •  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\XMAS
  •  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
  •  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
  •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{77520Q86-864L-N81R-0R2W-7U2G0P22436U}
  •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper
  •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\XMAS
  •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\awtustsr

The following registry values are created to load the worm at system startup

  •  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run "QnX"
      Data: %WinDir%\system32\qnx.exe
  •  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "QnX"
      Data: %WinDir%\system32\qnx.exe
  •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{77520Q86-864L-N81R-0R2W-7U2G0P22436U} "StubPath"
      Data: "%WinDir%\system32\qnx.exe"
  •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Wind River Systems"
      Data: %WinDir%\system32\vxworks.exe

Adds the following registry entires as part of its payload.

  •  HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures"
      Data: no
  •  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper "bsd"
      Data: 03
  •  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper "free"
      Data: 12
  •  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes"
      Data: .zip;.rar;.cab;.txt;.exe;.reg;.msi;.htm;.html;.bat;.cmd;.pif;.scr;.mov;.mp3;.wav
  •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Daemon Tools"
      Data: %WinDir%system32\daemon.exe
  •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "e887a2ae"
      Data: rundll32.exe "%WinDir%system32\kvslgsfk.dll",b

It adds the following registry key to add itself to the Firewall's Authorised applications list.

  •  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List "C:\WINDOWS\system32\vxworks.exe"
      Data: %WinDir%\system32\vxworks.exe:*:Enabled:Explorer
  •  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List "C:\WINDOWS\system32\daemon.exe"
      Data: %WinDir%\system32\daemon.exe:*:Enabled:Explorer

The following registry values are modified.

  •  HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures"
      Old data: yes
      New data: 01, 00, 00, 00
  •  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "ShowSuperHidden"
      Old data: 00, 00, 00, 00
      New data: 01, 00, 00, 00

Symptoms

  • Network activity on TCP port 25 due to e-mails being sent by the worm.
  • Presence of the files and registry entries mentioned above.

Method of Infection

  • This worm spreads by harvesting e-mail addresses on the infected system and e-mailing a copy of itself to these addresses.
  • This worm also spreads by copying itself to removable media.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

W32/Xirtem@MM is a mass mailing worm that also spreads through removable media using autorun.inf, and also by copying itself to Shared folders of Peer-2-Peer applications.

Aliases

  • Trojan-Banker.Win32.Banker.abbi (Kaspersky)
  • VirTool:Win32/CeeInject.gen!J (Microsoft)
  • W32.Degnax@mm (Symantec)
  • W32/Autorun-RI (Sophos)

Characteristics

Characteristics -

--Update July 01, 2009--

The new variant is discovered to use the topic of Michael Jackson's death. The file is called "Michael Jackson songs and pictures.doc.exe".
Upon execution, it copies itself to the following location(s):

    * %WinDir%\system32\jushed.exe
    * %WinDir%\system32\java2.exe
    * %WinDir%\jvm.exe

It creates a non-malicious file java.ini in %WinDir%.

It also creates rootkit Generic rootkit.d!rootkit and DNSChanger.ad at

  • %WinDir%\system32\SKYNET[random].dll
  • %WinDir%\system32\SKYNET[random].dll
  • %WinDir%\system32\SKYNET[random].dat
  • %WinDir%\system32\drivers\SKYNE[random].sys

It adds following registry entry to start itself on system startup:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched10 = %WinDir%\system32\jushed.exe
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Audio Services = %WinDir%\jvm.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{151B67MA-E28T-45KF-0O30-8801XS8WIF5J}\StubPath: "%WinDir%\jvm.exe"
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Windows Audio Services: "%WinDir%\jvm.exe"

To bypass windows firewall it adds following registry entry:

  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%WinDir%\System32\jushed.exe = "%WinDir%\System32\jushed.exe:*:Enabled:Explorer"


It also adds following registry entries:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\java6kernel = "07"
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\sun6micro = "01"


The worm connects to "Whatismyip.com" to get the victim's IP address.

It also has mass mailing capabilities. The worm sends e-mails, attached with a copy of itself to harvested E-mail addresses on the system.

This worm also spreads by copying itself into the shared folders of Peer-2-Peer Applications using the following file names.
(Generally, the file names used are of popular applications and their cracks/keygens)

Absolute Video Converter 6.2.exe
Ad-aware 2009.exe
Adobe Acrobat Reader keygen.exe
Adobe Photoshop CS4 crack.exe
Alcohol 120 v1.9.7.exe
AnyDVD HD v.6.3.1.8 Beta incl crack.exe
Avast 4.8 Professional.exe
AVS video converter6.exe
BitDefender AntiVirus 2009 Keygen.exe
CheckPoint ZoneAlarm And AntiSpy.exe
CleanMyPC Registry Cleaner v6.02.exe
Daemon Tools Pro 4.11.exe
Divx Pro 6.8.0.19 + keymaker.exe
Download Accelerator Plus v8.7.5.exe
Download Boost 2.0.exe
DVD Tools Nero 9 2 6 0.exe
G-Force Platinum v3.7.5.exe
Google Earth Pro 4.2. with Maps and crack.exe
Grand Theft Auto IV (Offline Activation).exe
Internet Download Manager V5.exe
K-Lite codec pack 3.10 full.exe
K-Lite codec pack 4.0 gold.exe
Kaspersky Internet Security 2009 keygen.exe
LimeWire Pro v4.18.3.exe
Magic Video Converter 8 0 2 18.exe
Microsoft Office 2007 Home and Student keygen.exe
Microsoft Visual Studio 2008 KeyGen.exe
Microsoft.Windows 7 Beta1 Build 7000 x86.exe
Motorola, nokia, ericsson mobil phone tools.exe
Myspace theme collection.exe
Nero 9 9.2.6.0 keygen.exe
Norton Anti-Virus 2009 Enterprise Crack.exe
Opera 9.62 International.exe
PDF password remover (works with all acrobat reader).exe
Perfect keylogger family edition with crack.exe
Power ISO v4.2 + keygen axxo.exe
Smart Draw 2008 keygen.exe
Sony Vegas Pro 8 0b Build 219.exe
Sophos antivirus updater bypass.exe
Super Utilities Pro 2009 11.0.exe
Total Commander7 license+keygen.exe
Tuneup Ultilities 2008.exe
Ultimate ring tones package1 (Beethoven,Bach, Baris Manco,Lambada,Chopin, Greensleves).exe
Ultimate ring tones package2 (Lil Wayne - Way Of Life,Khia - My Neck My Back Like My Pussy And My Crack,Mario - Let Me Love You,R. Kelly - The Worlds Greatest).exe
Ultimate ring tones package3 (Crazy In Love, U Got It Bad, 50 Cent - P.I.M.P, Jennifer Lopez Feat. Ll Cool J - All I Have, 50 Cent - 21 Question).exe
VmWare keygen.exe
Winamp.Pro.v6.53.PowerPack.Portable+installer.exe
Windows 2008 Enterprise Server VMWare Virtual Machine.exe
Windows XP PRO Corp SP3 valid-key generator.exe
Windows2008 keygen and activator.exe
WinRAR v3.x keygen RaZoR.exe
Youtube Music Downloader 1.0.exe

 

--Update July 01, 2009--

New variants on execution have been found to be creating its copy at the following location(s):

  • %WinDir%\system32\jushid.exe
  • %WinDir%\system32\java12.exe
  • %WinDir%\system32\java13.exe
  • %WinDir%\jvm.exe

It also creates a non-malicious file java.ini in %WinDir%.

It adds following registry entry to start itself on system startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched11 = %WinDir%\system32\jushid.exe

To bypass windows firewall it adds following registry entry:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%WinDir%\System32\jushid.exe = "%WinDir%\System32\jushid.exe:*:Enabled:Explorer"

It also adds following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\java7kernel = "07" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\sun7micro = "01" 

--------

--Update February 27, 2009--

New variant began to be spammed today.

Upon execution, it drops a copy of itself using the following filename:

  • %WinDir%\system32\java[2 random characters].exe

It then drops another trojan using random filename and injected to winlogon.exe and explorer.exe. This trojan is detected as Vundo.gen.w.

It then create a new task to run the dropped DLL in the following location:

  • %WinDir%\Tasks\[random filename].job

The following registry values are created to load the worm at system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Sun Java Updater v7.4"
Data: %WinDir%\system32\java[2 random characters].exe

This worm also terminates the following security process:

  • mcshield.exe

--------

W32/Xirtem@MM is a mass mailing worm that also spreads through removable media using autorun.inf, and also by copying itself to Shared folders of Peer-2-Peer applications.

Upon execution, this worm displays the following picture, to trick the user to believe that this is a harmless image file.

                                                                

Meanwhile, the worm connects to "Whatismyip.com" to get the victim's IP address.

Depending on the variant, it then copies itself to the following locations:

  • %WinDir%\system32\vxworks.exe or
  • %WinDir%\system32\daemon.exe 

It injects itself into multiple running processes.

Depending on the variant, it drops one or more of the following malicious files:

  • %WinDir%\system32\qnx.exe
  • %WinDir%\system32\awtustsr.dll
  • %WinDir%\system32\ddcBTLfd.dll
  • %WinDir%\system32\efcDTLEX.dll
  • %WinDir%\system32\kvslgsfk.dll

Some variants create a new task to run one of the dropped DLLs in the following location:

  • %WinDir%\Tasks\dgzqcscz.job

Some variants then launch an instance of Iexplore.exe in the background and uses it to log keystrokes to a file at the following location.

  • %WinDir%\drm.ocx

This instance of iexplore.exe communicates with ip-68-226-[removed]-235.tc.ph.cox.net

Certain variants also download the following malicious dlls:

  • APSTPLDR.DLL from http://www.zylon.net/[blocked]
  • kb600179.dll from 82.98.235.65

This worm spreads by copying itself into any removable media connected to the system and creates an "autorun.inf" file to execute itself whenever the device is connected to another system.

It also has mass mailing capabilities. The worm sends e-mails, attached with a copy of itself to harvested E-mail addresses on the system.

It uses the following "Subject", "Attachment Name" and "From address" combinations for these E-mails.

Subject of E-mail                                                                   | Attachment name   | From Address
--------------------------------------------------------------------------------------------------------------------
You've received A Hallmark E-Card!                                        | postcard.zip           | postcards@hallmark.com
Coca Cola is proud to announce our new Christmas Promotion. | promotion.zip         | noreply@coca-cola.com
Mcdonalds wishes you Merry Christmas!                                  | coupon.zip             | giveaway@mcdonalds.com

                          

                                    

Some variants create SMTP connections to the following servers on various outbound ports:

205.134.188.162
211.233.80.119
212.7.64.23
217.167.29.246
64.26.62.254
dom-reg.mediaways.net
fmx.freemail.hu
imas.ahnlab.com
lb.acantho.net
mail.samba.org
mailprot.hilton.com
maxx.shmoo.com
mx.acantho.net
origin.hilton.com
persephone.instanthosting.com.au
relais-ias89.francetelecom.com
www.alinet.it 
www.pacbell.net

This worm also spreads by copying itself into the shared folders of Peer-2-Peer Applications using the following file names.
(Generally, the file names used are of popular applications and their cracks/keygens)

Absolute Video Converter 6.2.exe
Acker DVD Ripper 2009.exe
Ad-aware 2008.exe
Adobe Acrobat Reader keygen.exe
Adobe Photoshop CS4 crack.exe
Alcohol 120 v1.9.7.exe
BitDefender AntiVirus 2009 Keygen.exe
CleanMyPC Registry Cleaner v6.02.exe
Daemon Tools Pro 4.11.exe
Divx Pro 6.8.0.19 + keymaker.exe
Download Accelerator Plus v8.7.5.exe
Download Boost 2.0.exe
FOOTBALL MANAGER 2009.exe
G-Force Platinum v3.7.5.exe
Google Earth Pro 4.2. with Maps and crack.exe
Half life 3 preview 10 minutes gameplay video.exe
Internet Download Manager V5.exe
Joannas Horde Leveling Guide TBC Woltk.exe
Kaspersky Internet Security 2009 keygen.exe
K-Lite codec pack 4.0 gold.exe
LimeWire Pro v4.18.3.exe
Microsoft Visual Studio 2008 KeyGen.exe
Motorola, nokia, ericsson mobil phone tools.exe
Myspace theme collection.exe
Nero 8 Ultra Edition 8.0.3.0 Full Retail.exe
Norton Anti-Virus 2009 Enterprise Crack.exe
Opera 10 cracked.exe
Password Cracker.exe
Perfect keylogger family edition with crack.exe
Power ISO v4.2 + keygen axxo.exe
Red Alert 3 keygen and trainer.exe
Silkroad Online guides and wallpapers.exe
Smart Draw 2008 keygen.exe
Sophos antivirus updater bypass.exe
Super Utilities Pro 2009 11.0.exe
TCN ISO cable modem hacking tools.exe
TCN ISO SigmaX2 firmware.bin.exe
Tuneup Ultilities 2008.exe
Ultimate ring tones package1 (Beethoven,Bach, Baris Manco,Lambada,Chopin, Greensleves).exe
Ultimate ring tones package2 (Lil Wayne - Way Of Life,Khia - My Neck My Back Like My Pussy And My Crack,Mario - Let Me Love You,R. Kelly - The Worlds Greatest).exe
Ultimate ring tones package3 (Crazy In Love, U Got It Bad, 50 Cent - P.I.M.P, Jennifer Lopez Feat. Ll Cool J - All I Have, 50 Cent - 21 Question).exe
Ultimate xxx password generator 2009.exe
VmWare keygen.exe
Winamp.Pro.v6.53.PowerPack.Portable [XmaS edition].exe
Windows 2008 Enterprise Server VMWare Virtual Machine.exe
Windows XP PRO Corp SP3 valid-key generator.exe
WinRAR v3.x keygen RaZoR.exe
Wow WoLTk keygen generator-sfx.exe
xbox360 flashing tools and guide including bricked drive fix.exe
Youtube Music Downloader 1.0.exe

It also injects malicious code into explorer.exe and opens backdoor by connecting to the following domain:

  • web1.ser[removed].org

The backdoor has the following functions:

  • restart/shutdown computer
  • start/stop services
  • start/stop keylogger
  • download/upload files
  • create/terminate/list process
  • perform port scanning
  • modify host file
  • spread itself by instant messenger
  • gather passwords that firefox, internet explorer saved
  • gather account information of instant messenger (msn,yahoo,miranda,aim)

Registry changes may vary according to the variant.

The following registry keys are added:

  •  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\XMAS
  •  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
  •  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
  •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{77520Q86-864L-N81R-0R2W-7U2G0P22436U}
  •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper
  •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\XMAS
  •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\awtustsr

The following registry values are created to load the worm at system startup

  •  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run "QnX"
      Data: %WinDir%\system32\qnx.exe
  •  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "QnX"
      Data: %WinDir%\system32\qnx.exe
  •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{77520Q86-864L-N81R-0R2W-7U2G0P22436U} "StubPath"
      Data: "%WinDir%\system32\qnx.exe"
  •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Wind River Systems"
      Data: %WinDir%\system32\vxworks.exe

Adds the following registry entires as part of its payload.

  •  HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures"
      Data: no
  •  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper "bsd"
      Data: 03
  •  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper "free"
      Data: 12
  •  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes"
      Data: .zip;.rar;.cab;.txt;.exe;.reg;.msi;.htm;.html;.bat;.cmd;.pif;.scr;.mov;.mp3;.wav
  •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Daemon Tools"
      Data: %WinDir%system32\daemon.exe
  •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "e887a2ae"
      Data: rundll32.exe "%WinDir%system32\kvslgsfk.dll",b

It adds the following registry key to add itself to the Firewall's Authorised applications list.

  •  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List "C:\WINDOWS\system32\vxworks.exe"
      Data: %WinDir%\system32\vxworks.exe:*:Enabled:Explorer
  •  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List "C:\WINDOWS\system32\daemon.exe"
      Data: %WinDir%\system32\daemon.exe:*:Enabled:Explorer

The following registry values are modified.

  •  HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures"
      Old data: yes
      New data: 01, 00, 00, 00
  •  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "ShowSuperHidden"
      Old data: 00, 00, 00, 00
      New data: 01, 00, 00, 00

Symptoms

Symptoms -

  • Network activity on TCP port 25 due to e-mails being sent by the worm.
  • Presence of the files and registry entries mentioned above.

Method of Infection

Method of Infection -

  • This worm spreads by harvesting e-mail addresses on the infected system and e-mailing a copy of itself to these addresses.
  • This worm also spreads by copying itself to removable media.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A