Home / malware

PDF

Worm:W32/Tater.C

First posted on 09 October 2009.
Source: SecurityHome

Aliases :

There are no other names known for Worm:W32/Tater.C.

Explanation :

A standalone malicious program which uses computer or network resources to make complete copies of itself. May include code or other malware to damage both the system and the network.

Additional DetailsWorm:W32/Tater.C typically arrives on the system via a drive-by download, or as part of the payload of another malware.

Once on the computer network, it can propagate to other nodes on the network via network shares and mapped drives. It also steals the user's credentials for online games.

Execution

On execution, the malware creates a copy of itself. It also drops a randomly-named DLL component in the %TEMP% Directory. Both these files will normally have Read-Only, Hidden and System attributes.

Next, the malware modifies the following Registry key to hide the Hidden/System Files in the Explorer window.

  • HKLMSoftwareMicrosoftWindowsCurrentversionExplorerAdvancedFolderHiddenSHOWALL Checkedvalue = dword:00000000
It also adds the following registry entry to ensure it is continually executed on startup, effectively allowing it to survive system reboots.

  • HKCUSoftwareMicrosoftWindowsCurrentVersionRun [random] = [randomfilename]

Propagation

To propagate, Tater.C drops a copy of itself to all accessible drives, together with a corresponding AUTORUN.INF file to enable the file's automatic execution.

Activity

The worm steals the online credentials for users of online games. To do so, it monitors the following known game processes:

  • coc.exe   • ragexe.exe   • pol.exe   • polcore.dll

Last update 09 October 2009

 

TOP