Home / malware Worm:Win32/Soglueda.A
First posted on 27 November 2010.
Source: SecurityHomeAliases :
Worm:Win32/Soglueda.A is also known as Trojan-Spy.Win32.Agent.bhpj (Kaspersky), Trojan.ADH (Symantec).
Explanation :
Worm:Win32/Soglueda.A is a worm that replaces an existing Windows system file named "services.exe" with a copy of itself. Win32/Soglueda.A spreads to other computers by copying itself to removable drives. The worm also installs a key logger that captures user-entered keystrokes and sends the data to a remote server.
Top
Worm:Win32/Soglueda.A is a worm that replaces an existing Windows system file named "services.exe" with a copy of itself. Win32/Soglueda.A spreads to other computers by copying itself to removable drives. The worm also installs a key logger that captures user-entered keystrokes and sends the data to a remote server. InstallationWhen executed, Worm:Win32/Soglueda.A copies itself to "<system folder>\services.exe", replacing the existing Windows system file. The worm also drops a copy of itself as " .cmd" into the Windows system folder. Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. Spreads via€¦ Removable drivesWorm:Win32/Soglueda.A may create the following files on targeted drives when spreading: <targeted drive>:\dllrun.exe In some instances, the worm copies itself as "rundll.exe". It also places an Autorun configuration file named "autorun.inf" in the root directory of the targeted drive. Autorun configuration files contain execution instructions for the operating system, so that when the removable drive is accessed from another computer supporting the Autorun feature, the malware is launched automatically.
Note: This worm was observed to write an executable and create an autorun.inf file on a targeted drive in our automated testing environment. This is particularly common malware behavior, generally utilized in order to spread malware from computer to computer. It should also be noted that autorun.inf files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation CDs. Payload Installs key loggerThe malware creates the following files on an affected computer:<system folder>\winm.dll - detected as TrojanSpy:Win32/Keylogger.X Worm:Win32/Soglueda.A utilizes code injection in order to hinder detection and removal of the trojan code. When the worm executes, it injects the trojan code "winm.dll" into running processes, including the following, for example:
cmd.exe csrss.exe explorer.exe winlogon.exe The trojan key logger records keystrokes and window titles and reports them to a remote host. We have observed the trojan to contact the following remote hosts to send captured data using port 80:bi.aznaryespinosa.com.ar bits.aznaryespinosa.com.ar f.aznaryespinosa.com.ar nico.aznaryespinosa.com.ar servers.aznaryespinosa.com.ar muler.agusting.com.ar winupdate32.sytes.net 174.36.209.138 Changes Windows settings The worm modifies the registry to change the default icon for files of type ".EXE" to appear as a text or document file as in the following example: In subkey: HKLM\SOFTWARE\Classes\.exeSets value: "(default)"With data: "exefile " In subkey: HKLM\SOFTWARE\Classes\exefileSets value: "(default)"With data: "aplicación" In subkey: HKLM\SOFTWARE\Classes\exefile \DefaultIconSets value: "(default)"With data: "shell32.dll,2" Disables programs from runningWorm:Win32/Soglueda.A deletes registry data that would execute device drivers and services at Windows start. In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunSets value: "(default)"With data: " " In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunSets value: "(default)"With data: " "
Analysis by Vincent TiuLast update 27 November 2010
