Home / malwarePDF  

Worm:Win32/Verst.A


First posted on 04 May 2010.
Source: SecurityHome

Aliases :

Worm:Win32/Verst.A is also known as BackDoor.Pushnik.9 (Dr.Web), Trojan.Win32.Generic!BT (Sunbelt Software).

Explanation :

Worm:Win32/Verst.A is a worm that spreads via removable drives by utilizing the Autorun feature. It may also contact various remote hosts in order to download and execute arbitrary files.
Top

Worm:Win32/Verst.A is a worm that spreads via removable drives by utilizing the Autorun feature. It may also contact various remote hosts in order to download and execute arbitrary files.

Installation
When executed the malware copies itself to the following location using the same file name as the original executable:

  • All Users\%appdata%\srtserv\<filename>.exe
  • For example, one observed instance of this worm copies itself to:
  • All Users\%appdata%\srtserv\sglosrv.exe
  • It sets the following registry entry to ensure execution at Windows start Adds value: "srtserv"
    With data: <worm file>.exe"
    To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run For example: Adds value: "srtserv"
    With data: "All Users\%appdata%\srtserv\sglosrv.exe "
    To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run The malware also drops an additional component to the following location:
  • All Users\%appdata%\srtserv\sdata.dll - this file is detected as Worm:Win32/Verst.B
  • Spreads via€¦ Removable drivesWorm:Win32/Verst.A copies itself, again using the same file name as its executable, to removable drives attached to the affected system. It then writes an autorun configuration file named 'autorun.inf' pointing to its copy. When the removable or networked drive is accessed from another computer supporting the Autorun feature, the malware is launched automatically.

    Payload
    Downloads and executes arbitrary filesThe malware contacts the following domains to download a file that contains configuration information: freehostia.compsynergi.dkkubusse.rus-elisa.rueda.ru110mb.comx10hosting.comawardspace.comexofire.nethostei.comorgfree.com This configuration file contains attacker-specified locations from which the worm is directed to download and execute arbitrary files. Please note this method is also used as an update mechanism for the worm. Provides stealthThe malware hooks the following System APIs to redirect to its own code to hide its presence on the affected computer: ZwQueryDirectoryFileZwQuerySystemInformationZwOpenProcessAdditional informationWorm:Win32/Verst.A stores configuration data in the following registry entry: HKCU\Software\Microsoft\Windows\CurrentVersion\MSrtn

    Analysis by Ray Roberts

    Last update 04 May 2010

     

    TOP