Kaspersky Threats

Detect Date

04/13/2011

Class

Platform

Description

The worm’s entire payload is executed through a code that is injected into the address space of the process “EXPLORER.EXE”. The payload is not executed if any one of the following conditions is fulfilled:

The following branch is missing from the system registry:
```
[HKCUControl PanelPowerCfgPowerPolicies]
```

The current user’s account name is:

USERNAME



user



COMPUTERNAME



CurrentUser

The following libraries are loaded in the worm’s address space:

SbieDll.dll



dbghelp.dll



api_log.dll



dir_watch.dll



pstorec.dll

The worm’s original file was saved in the system as:
```
c:file.exe
```
After injecting the malicious code through the process “EXPLORER.EXE”, the following actions are performed:
To ensure that the process is unique within the system, a unique identifier is created, which is named:
To provide access to the infected system, the following named pipe is created:
```
.piperrreokdirjiurururr
```
A connection is established to the malicious user’s server:
```
di***ind.cn



ant***tition.com



fre***unge.com
```
Following a command by the malicious user, the worm can perform the following actions on the infected computer:
- Organize a DoS attack on specified servers.
- Download files from links sent to it. The downloaded files are saved in the current user’s temporary files directory “%Temp%” using random names.
- Download updated version of the worm from the malicious user’s server.
- Analyze files of settings for these browsers:
```
Mozilla Firefox



Internet Explorer



Google Chrome



Opera
```
  for the purpose of stealing passwords saved in them.
- Steal and modify browser cookies. To do this, the worm uses the “sqlite” module built into the browser Mozilla Firefox.
- The actions described in the “Installation” and “Propagation” sections.
  The worm makes exchanges with the malicious user’s server through messages of the following type:
```
Scan stopped



Scan running



Scan started



KB data sent: <number>



SYN packets sent: <number>



Flood running



flood stopped: <string>



flooding: <string>



Drive infected: <string>



USB spreader running



P2P Copy to: <string>



MSN spreader running



MSN spread started, link: <string>MSN link sent
```
- By command from the malicious user, it is also possible to substitute the “hosts” file:
```
%System%driversetchosts
```
  At the time of writing, the malicious user’s server was not responding.

Find out the statistics of the threats spreading in your region

Detect Date	04/13/2011
Class	Net-Worm
Platform	Win32
Description	The worm’s entire payload is executed through a code that is injected into the address space of the process “EXPLORER.EXE”. The payload is not executed if any one of the following conditions is fulfilled: The following branch is missing from the system registry: [HKCUControl PanelPowerCfgPowerPolicies] The current user’s account name is: USERNAME user COMPUTERNAME CurrentUser The following libraries are loaded in the worm’s address space: SbieDll.dll dbghelp.dll api_log.dll dir_watch.dll pstorec.dll The worm’s original file was saved in the system as: c:file.exe After injecting the malicious code through the process “EXPLORER.EXE”, the following actions are performed: To ensure that the process is unique within the system, a unique identifier is created, which is named: To provide access to the infected system, the following named pipe is created: .piperrreokdirjiurururr A connection is established to the malicious user’s server: di*ind.cn anttition.com fre**unge.com Following a command by the malicious user, the worm can perform the following actions on the infected computer: Organize a DoS attack on specified servers. Download files from links sent to it. The downloaded files are saved in the current user’s temporary files directory “%Temp%” using random names. Download updated version of the worm from the malicious user’s server. Analyze files of settings for these browsers: Mozilla Firefox Internet Explorer Google Chrome Opera for the purpose of stealing passwords saved in them. Steal and modify browser cookies. To do this, the worm uses the “sqlite” module built into the browser Mozilla Firefox. The actions described in the “Installation” and “Propagation” sections. The worm makes exchanges with the malicious user’s server through messages of the following type: Scan stopped Scan running Scan started KB data sent: <number> SYN packets sent: <number> Flood running flood stopped: <string> flooding: <string> Drive infected: <string> USB spreader running P2P Copy to: <string> MSN spreader running MSN spread started, link: <string>MSN link sent By command from the malicious user, it is also possible to substitute the “hosts” file: %System%driversetchosts At the time of writing, the malicious user’s server was not responding.
	Find out the statistics of the threats spreading in your region

Net-Worm.Win32.Kolab