Detect Date 04/13/2011
Class Net-Worm
Platform Win32

The worm’s entire payload is executed through a code that is injected into the address space of the process “EXPLORER.EXE”. The payload is not executed if any one of the following conditions is fulfilled:

  • The following branch is missing from the system registry:
    [HKCUControl PanelPowerCfgPowerPolicies]
  • The current user’s account name is:
  • The following libraries are loaded in the worm’s address space:
  • The worm’s original file was saved in the system as:

    After injecting the malicious code through the process “EXPLORER.EXE”, the following actions are performed:

  • To ensure that the process is unique within the system, a unique identifier is created, which is named:
  • To provide access to the infected system, the following named pipe is created:
  • A connection is established to the malicious user’s server:

    Following a command by the malicious user, the worm can perform the following actions on the infected computer:

    • Organize a DoS attack on specified servers.
    • Download files from links sent to it. The downloaded files are saved in the current user’s temporary files directory “%Temp%” using random names.
    • Download updated version of the worm from the malicious user’s server.
    • Analyze files of settings for these browsers:
      Mozilla Firefox
      Internet Explorer
      Google Chrome

      for the purpose of stealing passwords saved in them.

    • Steal and modify browser cookies. To do this, the worm uses the “sqlite” module built into the browser Mozilla Firefox.
    • The actions described in the “Installation” and “Propagation” sections.

      The worm makes exchanges with the malicious user’s server through messages of the following type:

      Scan stopped
      Scan running
      Scan started
      KB data sent: <number>
      SYN packets sent: <number>
      Flood running
      flood stopped: <string>
      flooding: <string>
      Drive infected: <string>
      USB spreader running
      P2P Copy to: <string>
      MSN spreader running
      MSN spread started, link: <string>MSN link sent
    • By command from the malicious user, it is also possible to substitute the “hosts” file:

      At the time of writing, the malicious user’s server was not responding.

Find out the statistics of the threats spreading in your region