Overview
This description is for a network aware worm which is capable of replicating across existing networks through open network shares and removable storage media.
The characteristics of this worm in regards to file names, folders created etc. will differ from one version to another. Hence, this is a general description.
|
Minimum DAT
4757 (2006-05-08) Updated DAT5420 (2008-10-31) |
Minimum Engine
5.1.00 File LengthN/A |
Description Added
2006-05-08 Description Modified2008-05-15 |
Malware Proliferation
Characteristics
When executed, this worm creates the following folders:
- %AppData%\Windows
- C:\dago
- %Windir%\Dago
- %Windir%\DirectX
- %Windir%\Firewall
- %Windir%\User
It also drops a copy of itself in the following locations:
- C:\dago\baru.exe
- C:\Windows.exe
- C:\evanta44.cuex44
- C:\Punya %UserName%.exe
- %CommonPrograms%\Startup\adobe.com
- %AppData%\Windows\Crss.exe
- %AppData%\Windows\Lsass.exe
- %AppData%\Windows\Services.exe
- %AppData%\Windows\Smss.exe
- %AppData%\Windows\Winlogon.exe
- %Profiles%\%UserName%Nitip.exe
- %Windir%\Dago\CueX44.exe
- %Windir%\Dago\Dago.exe
- %Windir%\debug.cmd
- %Windir%\evanta44.scr
- %Windir%\fad.bin
- %Windir%\Firewall\Firewall.com
- %Windir%\Media\Windows.cmd
- %Windir%\system\oledb32.exe
- %Windir%\system\server.exe
- %System%\system.dll
- %Windir%\User\.exe
Apart from this, it also drops the following other files:
- C:\dasar cewek.htm
- %Windir%\msvbvm60.dll
- %Windir%\sys.bat
- %System%\Oeminfo.ini
Note:
- %AppData% is a variable that refers to C:\Documents and Settings\[UserName]\Application Data.
- %Profiles% refers to the file system directory containing user profile folders. A typical path is C:\Documents and Settings
- %UserName% refers to the current user name
- %System% is a variable that refers to the windows system folder. By default, this is ?C:\Windows\System32? for Windows XP.
The dropped file "dasar cewek.htm" has the following contents:
|
Cuex44 |
The following registry entries are modified to ensure the worm's execution at system startup:
- Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run
%UserName% di Dago = "%Windir%\Dago\Dago.exe"
CueX44 = "%Windir%\Dago\Dago.exe"
Csrss = "%AppData%\Windows\Csrss.exe"
Lsass = "%AppData%\Windows\Lsass.exe" - Hkey_Current_User\Software\Microsoft\Windows\CurrentVersion\Run
SQL = "%Windir%\system\server.exe"
User = "%Windir%\User\.exe"
Winlogon = "%AppData%\Windows\Winlogon.exe"
Services%UserName% = "%AppData%\Windows\Services.exe" - Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell = "Explorer.exe "%System%\\config\systemprofile\Local Settings\Application Data\tic.exe""
Userinit = "%System%\userinit.exe,%System%\\Media\Windows.cmd"
Symptoms
This worm attempts to connect to www.17tahun.com on port 1034, but at the time of writing this description, the site seemed down.
The worm modifies the following windows explorer settings:
- Removes the ?Folder Options? item, from all Windows Explorer menus and from Control Panel
- Disables windows registry editing tools; regedit.exe and regedt32.exe
- Disables invoking of the Windows ?Task Manger? to view running processes
This worm creates an oeminfo.txt in the %System% directory, with the following contents:
|
[General] Manufacturer= evanta44
|
The following is a screenshot of how the ?System Properties? panel would look like before and after infection:
Before Infection:
After Infection:
Method of Infection
This is a network aware worm and is capable of spreading through open network shares and removable devices.
Removal
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
Variants