Home / malwarePDF  

Win32/Vesenlosow


First posted on 10 April 2013.
Source: Microsoft

Aliases :

There are no other names known for Win32/Vesenlosow.

Explanation :



Installation

As part of its installation process, variants of Worm:Win32/Vesenlosow create one of the following directories on your computer:

  • %USERPROFILE%\Wins7 - uses the icon from Suduko solver
  • %USERPROFILE%\Wins8 - uses the icon from UltraSurf
  • %USERPROFILE%\Wins9 - uses the icon from Freegate tool


It drops the following file in one of the above directories:

msmm.exe €“ detected as Worm:Win32/Vesenlosow.A

Vesenlosow uses one of the following icons for this dropped file:







As part of it's installation process, the worm drops the shortcut link on to your computer:

<startup folder>\sound player.lnk

This shortcut may look like any of the following:







To ensure that it runs each time you start your computer, it also creates the directory "C:\Documents and Settings\<user>\Start Menu\Programs\startups" with "hidden" and "system" attributes, and drops the following file into it:

desktop.ini

It makes the following changes to the registry to ensure that it runs each time Windows starts:

In subkey: Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "AbPlayer"
With data: "C:\Users\Administrator\Wins7\msmm.exe"

Spreads via...

Removable drives

Worm:Win32/Vesenlosow copies a modified version of itself to all available removable drives as "new.exe" with an icon that has the appearance of a folder icon.

It also copies itself into the root folder of the removable drive with the name "New.exe".

If you open the worm file from your removable drive, it will run its malicious payload.



Payload

Steals information

We have observed variants of Vesenlosow collecting and sending the following information about your computer to a remote server via email, or by uploading it to the attacker's FTP site:

  • The user name of the currently logged-in user
  • The computer's name
  • The computer's GUID
  • The IP address
  • Any processes that are currently running on your computer
  • The contents of the clipboard
  • Any key strokes you make
  • The URIs visited using the HTTP, HTTPS and FTP protocols


The worm then creates a directory "\shin" with "hidden" attributes within the directory mentioned above, and creates the following file in which to store your stolen information:

sss.col



Analysis by Michael Johnson

Last update 10 April 2013

 

TOP

Malware :