Home / malwarePDF  

Worm:W32/Agent.IPZ


First posted on 16 January 2009.
Source: SecurityHome

Aliases :

There are no other names known for Worm:W32/Agent.IPZ.

Explanation :

A standalone malicious program which uses computer or network resources to make complete copies of itself. May include code or other malware to damage both the system and the network.

right]There are two ways that this worm may arrive on a user's system: it may be delivered directly to the user in an infected e-mail attachment, or the user may unknowingly download it from an infected website host.

In the first method, the e-mails are sent out from other, infected machines. The worm's code is stored in a ZIP file attachment to the e-mail. Each e-mail will use one of these two sets of characteristics:

  • Subject: "IKEA's New Planning Software"
    Attachment: Ikea.zip
  • Subject: "You've received a Hallmark e-card!"
    Attachment: Postcard.zip

The worm may also be downloaded from an infected website host. If an infected machine is an IIS web server, the worm replaces the default index page at C:Inetpubwwwrootindex.htm with a page containing:

  • "Security warning"
  • A link, misleadingly named "MS09-067.exe", which downloads a copy of the malware from the Web server onto the system.



In both cases, running the extracted attachment or downloaded copy will launch the malware.

Execution

On execution, the worm will create a copy of itself.

  • %windir%system32jushed.exe

It will also drop another malware file, detected as Trojan.Win32.Pakes.mmp.

  • %windir%system32jqs.exe

It will then create registry entries so that the copy of the worm will run on system startup, as well as disabling the Windows Firewall.

Next, the worm contacts this site to determine the infected system's IP address.

  • http://whatismyip.com/

Propagation

To propagate itself via infected e-mails, the worm harvests all e-mail addresses stored on the infected system and sends out messages to all the harvested addresses. Each e-mail contains the worm's code in an attachment, and the e-mail itself will use one of the same two sets characteristics (subject line, attachment name, etc) as the e-mail the worm arrived in.

For the worm to propagate via downloads from a Web server, the infected system must first have Microsoft IIS installed. If so, the worm will create a copy of itself in the following location:

  • C:InetpubwwwrootMS-09-067.exe

It will also create or replace the following file:

  • C:Inetpubwwwrootindex.htm

This new index page relies on social engineering to persuade visitors to download the malware.

Last update 16 January 2009

 

TOP

Malware :

Family: