Home / malwarePDF  

Dropped:Win32.Warezov.DO@mm


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Dropped:Win32.Warezov.DO@mm is also known as Win32/Stration, Win32.HLLM.Limar, Win32/Stratio, Win32/Strati, Email-Worm.Win32.Warezov.

Explanation :

This malware is composed of three parts:

A dll with the size of 8704 bytes which gets loaded in every process and has the purpose of killing different windows services (related to security products and Windows Update). It acomplishes this by registering itself in the AppInit_DLLs value of the HKEY_CURRENT_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Windows key. The targeted services are:

wuauserv
SNDSrvc
kavsvc
NOD32krn
wuauclt
tbmon
mcupdate
luinvk
lsetup
alunotify
ndetect
luall
aupdaten
kav
autodown
spiderml
drwebupw
upgrader
wupdmgr
sndsrvc
kavsvc
avgupsvc
avginet

A dropper with the size of 28708 packed with UPX. This drops the dowloader component (described below) in the System32 directory with a random name like FFFFFFFFFF.exe or wwwwwwwwww.exe and executes it.

The downloader component has a size of 14336 bytes. Upon execution it shows a fake error message with the text "Unknown error" which has the purpose of misleading the user into believing that the executable did not run. Then it will wait until an internet connection is available, download an executable from a predefined URL and execute it. The downloading is done with the Winsock functions, and because of that it will fail if a given computer needs to go through a predefined proxy server to access the Internet.

Last update 21 November 2011

 

TOP