/* Style Definitions */
mso-padding-alt:0in 5.4pt 0in 5.4pt;
font-family:”Times New Roman”,”serif”;}
This is a
Visual Basic Script that comes encrypted with a simple algorithm in order to
hide its purpose. The first action it takes is decrypting the actual body of
the script encapsulated in a string variable.
decryption the worm performs the following actions:
the values for DisplayLogo and Timeout of the Windows Script Host
in order to hide its execution
the registry so it displays 2 new options on the contextual menu when right
clicking an executable file: “Scan for virus,s” and “Open application”. The
first executes a copy of the worm located in %windir%system32regedit.sys, the
second %windir%win.exe (dicussed later)
the registry to hijack execution from several security software applications,
screensavers and other commercial applications as well as debug and system
tools like: drwtsn32.exe, taskmgr.exe, regedit.exe, rstrui.exe. Instead of
these, its copy from %windir%system32regedit.sys will be launched
will also remove several backdoors and other malware from the computer it
infected to ensure its singular presence on the PC.
create and autorun.inf file in every removable drive to get execute when the
drive is accesses.
The %windir%win.exe file is a backdoor dropped
by the worm to allow remote access to the attacker.
checks the registry and makes sure that Windows Scripting Host is not disabled,
that hidden and system files aren’t visible in explorer, that file extensions
are hidden and that the autorun feature is enabled.
is made of 2 components:
main executable written in Delphi
secondary executable written in VisualC which resides packed inside the
resource section of the main executable
executed, the main program will launch a second instance of the same executable
which will unpack the encrypted executable located in the .rsrc section and
inject it in its own virtual memory space then terminate.
decrypted code will inject itself into a separate thread of explorer.exe then
quit. This thread will create a copy of itself inside directories like
%SystemDrive%Recycler[dirname]bfrss.exe. [dirname] will have a structure
similar to S-1-5-21-1582865268-5844291516-424947749-0960 for example. Besides the
executable it also creates a Desktop.ini file inside those directories, which
has the role to hide the presence of the malware file.
Injected code will also make sure it spread to all removable drives (USB
sticks) by creating a copy of itself in the root folder of the drive under the
name usbcheck.exe. An autorun.inf file will ensure the execution of the file.
executed, this Trojan creates a copy of itself in %windir%system32tray.exe
and registers it to execute at system startup.
copy is launched, it will try to connect to an IRC server called warraca.elcrazyfrog.com.
It has the potential of downloading and executing other files (probably
malware) if the command is issued by the attacker through the IRC network.
will also search for sensitive data inside browser-related files like:
in this article is available courtesy of BitDefender virus researchers: Lutas
Andrei Vlad and Ovidiu Visoiu