Home / malware W32.Wervik
First posted on 18 February 2015.
Source: SymantecAliases :
There are no other names known for W32.Wervik.
Explanation :
When the worm is executed, it copies itself to the following locations:
%DriveLetter%\My Pictures\svchost.exe%DriveLetter%\My Documents\svchost.exe%DriveLetter%\Games\svchost.exe%AllUsersProfile%\Start Menu\Programs\Startup\svchost.exe%AllUsersProfile%\Application Data\svchost.exe%DriveLetter%\[ORIGINAL FILE NAME]%Temp%\readme.exe
The worm then searches for .rar files and inserts itself as the following file to the RAR container:
readme.exe
Next, the worm creates the following files:
%Temp%\time.txt%AllUsersProfile%\Application Data\svchost.exe.ini
The worm then creates the following registry entries so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"svchost.exe" = "[PATH TO MALWARE]"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"svchost.exe" = "[PATH TO MALWARE]"
Next, the worm connects to the following remote location:
hasto.zapto.org
The worm then opens a back door on the compromised computer, allowing an attacker to perform the following actions:
Collect information about the computerCollect antivirus and firewall product informationDownload filesExecute filesUninstall itselfRestart the computerPerform denial of service attacksDisplay a message boxSend Facebook messagesSend Skype messagesDisplay advertisements
The worm spreads through removable and network drives by copying itself to the following locations:
%DriveLetter%\system.ini%DriveLetter%\autoexec.bat%DriveLetter%\system.binLast update 18 February 2015
