Home / malwarePDF  

Worm:Win32/Esfury.D


First posted on 18 August 2010.
Source: SecurityHome

Aliases :

Worm:Win32/Esfury.D is also known as W32/Agent.UWCW (Norman), Trojan.Injector.QIR (VirusBuster), Dropper.Generic2.AANE (AVG), TR/Click.Outtol.A (Avira), Trojan.Agent.VB.BMW (BitDefender), Win32/VBInject.D!generic (CA), Win32/Injector.CHN (ESET), Trojan.Click (Ikarus), Troj/DwnLdr-IHU (Sophos), Trojan.Win32.Generic!BT (Sunbelt Software), W32.Rontokbro@mm (Symantec).

Explanation :

Worm:Win32/Esfury.D is a worm that spreads to all removable drives. It also changes Internet Explorer's start page, as well as other system settings that might have an impact on the overall security of the computer. It also connects to certain websites.
Top

Worm:Win32/Esfury.D is a worm that spreads to all removable drives. It also changes Internet Explorer's start page, as well as other system settings that might have an impact on the overall security of the computer. It also connects to certain websites. Installation Worm:Win32/Esfury.D drops a copy of itself as the following:

  • %HomePath%\<user name>1\winlogon.exe
    • where <user name> is a user name defined in the computer. Note also that a legitimate file also named "winlogon.exe" exists by default in the Windows system folder. Spreads via... Removable drives Worm:Win32/Esfury.D may drop the following files in all removable drives:
  • winlogon.exe - copy of itself
  • autorun.inf - INF file that allows the worm copy to automatically run when the drive is accessed and Autorun is enabled
    • Payload Connects to certain websites and injects code into processes Worm:Win32/Esfury.D may attempt to connect to the following websites:
  • 0-1-0-0-1-0-0-0-1-0-1-1-0-1-1-1-1-0-1-1-1-0-0-0-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-60-0-0-0-0-0-0-0-0-0-0-0-0-0.info
  • 3-x-5-3-7-h-p-g-r-y-7-g-b-3-8-9-8-4-l-j.cheaps1.info
  • whos.amung.us
    • It may also inject code into the following process:
  • svchost.exe
    • Modifies system settings Worm:Win32/Esfury.D may modify the following registry keys:
  • Disables UAC notifications (User Access Controls):
    • Adds value: "UACDisableNotify" With data: "1" In subkey: HKLM\SOFTWARE\Microsoft\Security Center
  • Disables LUA (Least User Access):
    • Adds value: "EnableLUA" With data: "0" In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
  • Disables System Restore:
    • Adds value: "DisableSR" With data: "1" In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
  • Stops the System Restore service:
    • Adds value: "Start" With data: "4" In subkey: HKLM\SYSTEM\CurrentControlSet\Services\sr
  • Changes the way hidden files are displayed in Windows Explorer:
    • Adds value: "ShowSuperHidden" With data: "0" In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Modifies Internet Explorer settings Worm:Win32/Esfury.D changes the start page of Internet Explorer by modifying the following registry entry: Modifies value: "Start Page" With data: "http://www.nuevaq.fm" In subkey: HKCU\Software\Microsoft\Internet Explorer\Main

    Analysis by Andrei Florin Saygo

    Last update 18 August 2010

     

    TOP

    Malware :

    Family: