Home / malware Worm:Win32/Refroso.A
First posted on 03 December 2009.
Source: SecurityHomeAliases :
Worm:Win32/Refroso.A is also known as Win-Trojan/Refroso.27136 (AhnLab), Win32/Refroso.E (CA), Win32/AutoRun.IRCBot.BG (ESET), Trojan.Win32.Refroso.bck (Kaspersky), Backdoor-DVB (McAfee), W32/Smalldoor.GJGE (Norman), Trj/Buzus.AH (Panda), Troj/BRMCrypt-A (Sophos), Trojan.Refroso.FR (VirusBuster), TrojanDropper:Win32/Refroso.A (other).
Explanation :
Worm:Win32/Refroso.A is a worm that stops Windows Security Center and attempts to spread to other computers across a network by exploiting a vulnerability in Windows.
Top
Worm:Win32/Refroso.A is a worm that stops Windows Security Center and attempts to spread to other computers across a network by exploiting a vulnerability in Windows. InstallationWhen run, this worm copies itself to the Windows folder as "usb_drv.exe". The registry is modified to run the dropped worm copy at each Windows start. Adds value: "Universal Bus device"With data: "usb_drv.exe"To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run The worm terminates if it determines if any of the following security tools are being used:Wireshark Network Analyzer Process Monitor File Monitor Registry Monitor Spreads Via… Networked computersWorm:Win32/Refroso.A attempts to locate vulnerable networked computers that have not applied Security Bulletin MS08-067. The worm exploits the target computer on the network in order to copy itself to the vulnerable machine. Mapped drivesThe worm copies itself to mapped drives as "usb_drv.exe". The worm then writes an autorun configuration file named "autorun.inf" pointing to the worm copy. When the drive is accessed from a machine supporting the Autorun feature, the worm is launched automatically. Payload Stops Windows Security Center serviceThe worm drops a batch script file in the root of the local drive as "x.bat" and runs the dropped script. The script attempts to stop Windows Security Center using the Windows utility "NET.EXE" as in the following example: net stop "Security Center" Downloads arbitrary filesThe worm attempts to get the IP address of the local machine by connecting to the following servers:
w ww.whatismyip.com checkip.dyndns.org The trojan then sends machine information from the infected machine to the remote server "virtual-rejects.com". The worm may download executable updates from the remote server.
Analysis by Jaime WongLast update 03 December 2009