Content

W32/Tufast.worm

Type
Virus
SubType
Internet Worm
Discovery Date
10/08/2002
Length
235,520 bytes
Minimum DAT
4229 (10/16/2002)
Updated DAT
4322 (02/04/2004)
Minimum Engine
5.1.00
Description Added
10/15/2002
Description Modified
10/15/2002 3:01 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This is a KaZaa peer-to-peer file sharing worm, keylogger, IRC bot, and remote access trojan. It impersonates the "AVP" anti-virus program and arrives via KaZaa, when downloading and executing an infected file. When run, the worm displays a Window and pretends to scan for viruses.

After the "scan" is complete a reboot request is displayed.

Rebooting now to finish the disinfection

Clicking the "OK" button reboots the system.

The worm copies itself to the WINDOWS (%WinDir%) directory using a random ten-letter filename and creates a registry run key load itself at startup.

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run "__(10 character random filename)" = %WinDir%\(random filename).exe
The worm opens TCP port 4500 and varying UDP ports. It connects to the IRC server irc.libnet.com.br to notify the author of the victim's IP address. This allows the author to connect to the infected system through the remote access trojan component.

The worm retrieves the KaZaa local content folder via the registry:

  • HKEY_CURRENT_USER\Software\KAZAA\LocalContent\Dir0
It uses this information to drop copies of itself in that folder, taking the filename of existing files. For example, if the file ReadMe.txt exists in the directory, a copy of the worm is created with the name ReadMe.exe.

The following registry keys are created to configure KaZaa to use a proxy server, enable file sharing, and set a marker the worm uses so that the fake AVP window is only displayed the first time the worm is run.
  • HKEY_CURRENT_USER\Software\KAZAA\LocalContent "BehindProxy" = 1
  • HKEY_CURRENT_USER\Software\KAZAA\LocalContent "DisableSharing" = 0
  • HKEY_CURRENT_USER\Software\KAZAA\LocalContent "KaZaARegKey" = (10 character random filename)

Symptoms

- Tcp port 4500 being left opened.
- Presence of the aforementioned registry keys and Windows

Method of Infection

The trojan component has the ability to terminate the following security software programs when an attacker issues the appropriate command.

  • _AMON
  • _AVP32
  • _AVPCC
  • _AVPM
  • ALERTSVC
  • AVP Control Centre
  • AVP32
  • AVPCC
  • AVPM
  • KAV Monitor
  • N32SCANW
  • NAVAPSVC
  • NAVAPW32
  • NAVLU32
  • NAVRUNR
  • NAVW32
  • NAVWNT
  • NOD32
  • NPSSVC
  • NRESQ32
  • NSCHED32
  • NSCHEDNT
  • NSPLUGIN
  • SCAN
  • SMSS
Typed keystrokes and displayed Window titles are stored in files in the WINDOWS directory: %WinDir%\~TMP. This allows a remote attacker to retrieve personal information such as usernames, passwords, account numbers, etc.

The trojan also accepts IRC commands via the IRC server/channel that it connects to automatically.

Removal

All Users :
Use specified engine and DAT files for detection and removal. Delete files which contain this detection.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • Backdoor.IRC.Tufast (AVP)
  • PackAger I-Worm
  • W32.HLLW.Tufas (Symantec)
  • Win32.Pakfix (CA)
  • WORM_PAKGER.A (Trend)

Characteristics

Characteristics -

This is a KaZaa peer-to-peer file sharing worm, keylogger, IRC bot, and remote access trojan. It impersonates the "AVP" anti-virus program and arrives via KaZaa, when downloading and executing an infected file. When run, the worm displays a Window and pretends to scan for viruses.

After the "scan" is complete a reboot request is displayed.

Rebooting now to finish the disinfection

Clicking the "OK" button reboots the system.

The worm copies itself to the WINDOWS (%WinDir%) directory using a random ten-letter filename and creates a registry run key load itself at startup.

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run "__(10 character random filename)" = %WinDir%\(random filename).exe
The worm opens TCP port 4500 and varying UDP ports. It connects to the IRC server irc.libnet.com.br to notify the author of the victim's IP address. This allows the author to connect to the infected system through the remote access trojan component.

The worm retrieves the KaZaa local content folder via the registry:

  • HKEY_CURRENT_USER\Software\KAZAA\LocalContent\Dir0
It uses this information to drop copies of itself in that folder, taking the filename of existing files. For example, if the file ReadMe.txt exists in the directory, a copy of the worm is created with the name ReadMe.exe.

The following registry keys are created to configure KaZaa to use a proxy server, enable file sharing, and set a marker the worm uses so that the fake AVP window is only displayed the first time the worm is run.
  • HKEY_CURRENT_USER\Software\KAZAA\LocalContent "BehindProxy" = 1
  • HKEY_CURRENT_USER\Software\KAZAA\LocalContent "DisableSharing" = 0
  • HKEY_CURRENT_USER\Software\KAZAA\LocalContent "KaZaARegKey" = (10 character random filename)

Symptoms

Symptoms -

- Tcp port 4500 being left opened.
- Presence of the aforementioned registry keys and Windows

Method of Infection

Method of Infection -

The trojan component has the ability to terminate the following security software programs when an attacker issues the appropriate command.

  • _AMON
  • _AVP32
  • _AVPCC
  • _AVPM
  • ALERTSVC
  • AVP Control Centre
  • AVP32
  • AVPCC
  • AVPM
  • KAV Monitor
  • N32SCANW
  • NAVAPSVC
  • NAVAPW32
  • NAVLU32
  • NAVRUNR
  • NAVW32
  • NAVWNT
  • NOD32
  • NPSSVC
  • NRESQ32
  • NSCHED32
  • NSCHEDNT
  • NSPLUGIN
  • SCAN
  • SMSS
Typed keystrokes and displayed Window titles are stored in files in the WINDOWS directory: %WinDir%\~TMP. This allows a remote attacker to retrieve personal information such as usernames, passwords, account numbers, etc.

The trojan also accepts IRC commands via the IRC server/channel that it connects to automatically.

Removal -

Removal -

All Users :
Use specified engine and DAT files for detection and removal. Delete files which contain this detection.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A