W32/Crog.worm

W32/Crog.worm

Threat Detail

  • Malware Type: Virus
  • Malware Sub-type: Worm
  • Protection Added: 2005-03-07

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.


Minimum Engine

5400.1158

File Length

17,429 bytes (MEW)

Description Added

2005-03-07

Description Modified

2005-03-07

Malware Proliferation

This detection is for a worm written in MSVB, and packed with MEW, bearing the following characteristics:

  • propagates via MSN Instant Messenger
  • propagates via eMule P2P networks
  • modifies various Registry settings on the victim machine, lowering security settings
  • overwrites the local HOSTS file, preventing access to several security-related domains
  • terminates several processes (security-related applications)

This worm was detected as W32/Generic.m briefly in the beta DATs .

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

But in some particular cases, the following steps need to be taken.

Please go to the Microsoft Recovery Console and restore a clean MBR.

On Windows XP:

  • Insert the Windows XP CD into the CD-ROM drive and restart the computer.
  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
  • Select the Windows installation that is compromised and provide the administrator password.
  • Issue 'fixmbr' command to restore the Master Boot Record
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

  • Insert the Windows CD into the CD-ROM drive and restart the computer.
  • Click on "Repair Your Computer".
  • When the System Recovery Options dialog comes up, choose the Command Prompt.
  • Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.

MSN IM Propagation

The worm attempts to send itself to recipients via MSN Instant Messenger, using one of the filenames it installs itself as on the victim machine.

P2P Propagation

The worm also copies itself to the following folders in an attempt to propagate through file-sharing networks:

  • %SYSTEMDRIVE%\My Shared Folder\
  • %PROGRAMFILES%\eMule\Incoming\
  • %USERFOLDER%\Shared\

The following filenames are used:

  • Messenger Plus! 3.50.exe
  • MSN all version polygamy.exe
  • MSN nudge bomb.exe

Propagation to CDs

In an attempt to propagate to CDs that are burnt from the victim machine, the worm copies itself to the following folder as AUTORUN.EXE:

  • %USERFOLDER%\Local Settings\Application Data\Microsoft\ CD Burning\autorun.exe

It also updates (or creates) an AUTORUN.INF file in this folder to contain:

  • OPEN=AUTORUN.EXE

(Where %USERFOLDER% represents the folder %SYSTEMDRIVER%\Documents and Settings\%USERNAME%\ .)

Installation

When run, the worm copies itself to the victim machine using several filenames:

  • %sysdir%\formatsys.exe
  • %sysdir%\serbw.exe
  • %windir%\msmbw.exe
  • %windir%\lspt.exe

Additional copies of the worm are dropped to the root of the system drive, using the following filenames:

  • Crazy frog gets killed by train!.pif
  • Annoying crazy frog getting killed.pif
  • See my lesbian friends.pif
  • LOL that ur pic!.pif
  • My new photo!.pif
  • Me on holiday!.pif
  • The Cat And The Fan piccy.pif
  • How a Blonde Eats a Banana...pif
  • Mona Lisa Wants Her Smile Back.pif
  • Topless in Mini Skirt! lol.pif
  • Fat Elvis! lol.pif
  • Jennifer Lopez.scr

A series of keys are added to the Registry to hook system startup. The following keys are modified:

  • HKEY_CURRENT_USER\Microsoft\Windows\
    CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\RunServices
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Policies\Explorer\Run
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\policies\Explorer\Run
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run
The names of the added keys are one of the following:
  • ltwob
  • serpe
  • avnort

The values are the filename the worm has installed as:

  • %windir%\formatsys.exe
  • %windir%\serbw.exe
  • %windir%\msmbw.exe
  • %windir%\lspt.exe

The worm also drops a HTML file to the root of the system drive, and loads it in the default browser. This HTML page loads a counter and an image (JPG) from a remote server:

  • h t tp://frog.0catch.com/(blocked)big_deal.jpg
  • h t tp://udjc.com/(blocked)
    (this server is connected to for loading counter)

A text file is also dropped to the root of the system drive. This file contains a message intended for the author of W32/Laris.worm.

Modification of local HOSTS file

The local HOSTS file is overwritten in an attempt to redirect (to 64.233.167.104) access to the following domains:

  • www.symantec.com
  • www.sophos.com
  • www.mcafee.com
  • www.viruslist.com
  • www.f-secure.com
  • www.avp.com
  • www.kaspersky.com
  • www.networkassociates.com
  • www.ca.com
  • www.my-etrust.com
  • www.nai.com
  • www.trendmicro.com
  • www.grisoft.com
  • securityresponse.symantec.com
  • symantec.com
  • sophos.com
  • mcafee.com
  • liveupdate.symantecliveupdate.com
  • viruslist.com
  • f-secure.com
  • kaspersky.com
  • kaspersky-labs.com
  • avp.com
  • networkassociates.com
  • ca.com
  • mast.mcafee.com
  • my-etrust.com
  • download.mcafee.com
  • dispatch.mcafee.com
  • secure.nai.com
  • nai.com
  • update.symantec.com
  • updates.symantec.com
  • us.mcafee.com
  • liveupdate.symantec.com
  • customer.symantec.com
  • rads.mcafee.com
  • trendmicro.com
  • grisoft.com
  • sandbox.norman.no
  • www.pandasoftware.com
  • uk.trendmicro-europe.com

Lowering Security Settings

The worm changes the values of the following Registry keys, setting both to 0:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft
    \Windows NT\SystemRestore "DisableConfig" = 0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft
    \Windows NT\SystemRestore "DisableSR" = 0

Process Termination

The worm terminates any of the following processes if they are running:

  • apvxdwin.exe
  • atupdater.exe
  • aupdate.exe
  • autodown.exe
  • autotrace.exe
  • autoupdate.exe
  • avconsol.exe
  • avengine.exe
  • vpupd.exe
  • avsynmgr.exe
  • avwupd32.exe
  • avxquar.exe
  • bawindo.exe
  • blackd.exe
  • ccapp.exe
  • ccevtmgr.exe
  • ccproxy.exe
  • ccpxysvc.exe
  • cfiaudit.exe
  • defwatch.exe
  • drwebupw.exe
  • escanh95.exe
  • escanhnt.exe
  • firewall.exe
  • frameworkservice.exe
  • icssuppnt.exe
  • icsupp95.exe
  • luall.exe
  • lucoms~1.exe
  • mcagent.exe
  • mcshield.exe
  • mcupdate.exe
  • mcvsescn.exe
  • mcvsrte.exe
  • mcvsshld.exe
  • navapsvc.exe
  • navapw32.exe
  • nisum.exe
  • nopdb.exe
  • nprotect.exe
  • nupgrade.exe
  • outpost.exe
  • pavfires.exe
  • pavproxy.exe
  • pavsrv50.exe
  • rtvscan.exe
  • rulaunch.exe
  • savscan.exe
  • shstat.exe
  • sndsrvc.exe
  • symlcsvc.exe
  • Update.exe
  • updaterui.exe
  • vshwin32.exe
  • vsstat.exe
  • vstskmgr.exe
  • cmd.exe
  • msconfig.exe
  • msdev.exe
  • ollydbg.exe
  • peid.exe
  • petools.exe
  • regedit.exe
  • reshacker.exe
  • taskmgr.exe
  • w32dasm.exe
  • winhex.exe
  • wscript.exe

The worm also looks for any running applications that contain one of the several strings in their window title, terminating them if found. The strings are again relevant to applications intended for security.