Home / malware Worm:Win32/Citeary.B
First posted on 15 December 2009.
Source: SecurityHomeAliases :
There are no other names known for Worm:Win32/Citeary.B.
Explanation :
Worm:Win32/Citeary.B is a worm that spreads to all available drives including the local drive, installs device drivers and attempts to download other malware from a predefined website.
Top
Worm:Win32/Citeary.B is a worm that spreads to all available drives including the local drive, installs device drivers and attempts to download other malware from a predefined website. InstallationWhen Worm:Win32/Citeary.B is run, it drops a copy of itself as the following: <system folder>\systeX.dll The dropped worm copy is run using the Windows utility "RUNDLL32.exe" and it then drops a device driver as the following files: <system folder>\drivers\drver.sys - VirTool:WinNT/Citeary.B <system drive:>\driver.sys - VirTool:WinNT/Citeary.B The drivers are used by the worm to hook certain Windows APIs in kernel-mode. Spreads via€¦ Mapped and logical drivesThe worm copies the following files to the root of all available drives including the local drive: <drive:>\autorun.inf - Worm:Win32/Citeary.B!inf <drive:>\autorun.vbs - Trojan:VBS/Citeary.B <drive:>\system.exe - Worm:Win32/Citeary.B The Autorun configuration file "autorun.inf" executes the VBScript component "autorun.vbs". This VBScript component is a short script that launches "system.exe". When the infected removable or network drive is accessed from another machine supporting the Autorun feature, the malware is launched automatically. Payload Downloads and executes arbitrary filesThe worm attempts to retrieve a file hosted on the website "ddl.754245.com" and save it as the following: <system folder>\syste2.dll The file would then be executed using the Windows utility "RUNDLL32.exe". At the time of this writing, the site was unavailable.
Analysis by Vincent TiuLast update 15 December 2009