McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Business Home McAfee Labs Threat Intelligence

W32/CEP.worm

This page shows details and results of our analysis on the malware W32/CEP.worm

Threat Detail

Malware Type: Virus

Malware Sub-type: Worm

Discovery Date: 2007-09-17

Next Steps:

Overview

The W32/CEP.worm is designed to spread via the removable media and drops BackDoor-CEP trojan.


Minimum DAT

5121 (2007-09-17)

Updated DAT

5558 (2009-03-19)

 Minimum Engine

4.4.00

File Length

229,376 bytes

 Description Added

2007-09-17

Description Modified

2007-09-26

Malware Proliferation

Characteristics

Upon execution, the worm copies itself to the following location.

  • %WinDir%\msmsgs.exe

It drops the following files:

  • %WinDir%\Debug\sysdeb.ini (data file)
  • %UserProfile%\Local Settings\Temp\windll.exe (BackDoor-CEP trojan)
  • %SystemDir%\explorer.exe  (BackDoor-CEP trojan)

The worm adds the following registry key.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    "Windows Messenger" = %WinDir%\msmsgs.exe

The dropped BackDoor-CEP trojan adds the following registry keys:

  • HKEY_CURRENT_USER\Software\Wget 
    "klg" = 01
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wget
    "nck" = (binary data)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9B71D88C-C598-4935-C5D1-43AA4DB90836}
    "stubpath" = %SystemDir%\explorer.exe s

The BackDoor-CEP trojan attempts to connect the following remote site and waits commands.

  • christophe.[removed].net port:80

Symptoms

  • Presence of file(s) and registry key(s) as previously mentioned.
  • Unexpected network connections to the mentioned site(s).

Method of Infection

The worm attemps to drop the following files into the removable drives:

  • autorun.inf (root folder)
  • Recycler\Recycler\autorun.exe (W32/CEP.worm)
  • Recycler\Recycler\desktop.ini

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

But in some particular cases, the following steps need to be taken.

Please go to the Microsoft Recovery Console and restore a clean MBR.

On Windows XP:

  • Insert the Windows XP CD into the CD-ROM drive and restart the computer.
  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
  • Select the Windows installation that is compromised and provide the administrator password.
  • Issue 'fixmbr' command to restore the Master Boot Record
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

  • Insert the Windows CD into the CD-ROM drive and restart the computer.
  • Click on "Repair Your Computer".
  • When the System Recovery Options dialog comes up, choose the Command Prompt.
  • Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.

Variants

United States - English