Home / malwarePDF  

Win32/Wecykler


First posted on 12 March 2013.
Source: Microsoft

Aliases :

There are no other names known for Win32/Wecykler.

Explanation :



Installation

In the wild, Worm:Win32/Wecykler has been observed using any of the following file names:

  • Autorun.inf .exe
  • Commgr.exe
  • DCIM .exe
  • DrivesGuideInfo .exe
  • Images .exe
  • New Folder (2) .exe
  • New Folder .exe
  • RECYCLER .exe
  • WinAlert.exe
  • WinSysApp.exe


Note: The format of some of these file names is designed to hide the file extension, and entice you to click and run the worm.

The worm creates copies of itself in the following locations:

  • %ProgramFiles%\Windows Alerter\<malware file>
  • %ProgramFiles%\Windows Common Files\<malware file>


The folders where its copies are located are hidden.

It also creates a hidden copy of itself as:

C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe

Worm:Win32/Wecykler modifies the following registry entries to ensure that its copy runs each time you start your computer:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "WindowMessenger"
With data: "C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Windows Alerter"
With data: "%ProgramFiles%\Windows Alerter\WinAlert.exe"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Windows Common Files Manager"
With data: "%ProgramFiles%\Windows Common Files\Commgr.exe"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "WindowMessenger"
With data: "C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe"

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Windows Alerter"
With data: "%ProgramFiles%\Windows Alerter\WinAlert.exe"

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Windows Common Files Manager"
With data: "%ProgramFiles%\Windows Common Files\Commgr.exe"

In order keep files related to the worm hidden, it makes sure files with Hidden and System file attributes are not displayed in Windows Explorer, by making the following changes to the registry:

In subkey: In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "Hidden"
With data: "00000002"
Sets value: "HideFileExt"
With data: "00000001"
Sets value: "SuperHidden"
With data: "00000000"
Sets value: "ShowSuperHidden"
With data: "00000000"

Spreads via...

Removable drives

Win32/Wecykler periodically (every 3 seconds) checks for any available removable drives, for example, floppy drives, USB sticks, and flash card readers.

If one is found, it copies itself into this drive, using the same file name as an existing directory it finds. It then applies "hidden" and "system" attributes to the original file, so that only the worm copy will display.

The worm uses a folder icon for its copy in an attempt to trick you into thinking that it is merely a folder, so that you might click and run the worm.



Payload

Logs keystrokes

The worm also logs keystrokes and saves them in an encrypted file named "info", for example:

C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\info

Stops processes

Worm:Win32/Wecykler stops security-related and other computer processes, including:

  • acs.exe
  • agrs.exe
  • anti-trojan.exe
  • ants.exe
  • aswboot.exe
  • atwatch.exe
  • avast.exe
  • avengine.exe
  • avgcc32.exe
  • avgemc.exe
  • avgfree.exe
  • avgnt.exe
  • avgsetup.exe
  • avguard.exe
  • avnt.exe
  • avp.exe
  • avpcc.exe
  • avsched32.exe
  • bdagent.exe
  • blackice.exe
  • btdfbr.exe
  • btrl.exe
  • btscan.exe
  • ccapp.exe
  • ccleaner.exe
  • ccproxy.exe
  • ccsvchost.exe
  • cleaner.exe
  • cmd.exe
  • emlproui.exe
  • emlproxy.exe
  • fameh32.exe
  • fch32.exe
  • fih32.exe
  • fnrb32.exe
  • fsaa.exe
  • fsav.exe
  • fsav32.exe
  • fsgk32.exe
  • fsm32.exe
  • fsma32.exe
  • kavpf.exe
  • kpf4ss.exe
  • lockdown.exe
  • mcnasvc.exe
  • mcproxy.exe
  • mcregist.exe
  • mcshield.exe
  • mcsysmon.exe
  • mmc.exe
  • mpfservice.exe
  • msconfig.exe
  • msmscsvc.exe
  • navapsvc.exe
  • navw32.exe
  • nisserv.exe
  • nisum.exe
  • nod32.exe
  • nod32krn.exe
  • onlinent.exe
  • opssvc.exe
  • outpost.exe
  • payfires.exe
  • payproxy.exe
  • pccntmon.exe
  • persfw.exe
  • qhunpack.exe
  • quhlpsvc.exe
  • realmon.exe
  • reg.exe
  • regedit.exe
  • rstrui.exe
  • scanner.exe
  • scanwscs.exe
  • sensor.exe
  • siteadv.exe
  • smc.exe
  • tasklist.exe
  • taskmgr.exe
  • taumon.exe
  • tds-3.exe
  • tsnt2008.exe
  • upschd.exe
  • usbguard.exe
  • vbcons.exe
  • vsserv.exe
  • vsstat.exe
  • watchdog.exe
  • ymsgrtray.exe
  • zapro.exe
  • zonealarm.exe
Additional information

Worm:Win32/Wecykler also drops the following image file which contains adult content:

C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\bnf0342



Analysis by Zarestel Ferrer

Last update 12 March 2013

 

TOP

Malware :