Home / malwarePDF  

Worm:Win32/Ructo.J


First posted on 06 September 2011.
Source: SecurityHome

Aliases :

There are no other names known for Worm:Win32/Ructo.J.

Explanation :

Worm:Win32/Ructo.J is a worm that spreads via Windows Live Messenger. It also lowers system security settings and downloads other malicious files from a remote server.


Top

Worm:Win32/Ructo.J is a worm that spreads via Windows Live Messenger. It also lowers system security settings and downloads other malicious files from a remote server.



Installation

When executed, Worm:Win32/Ructo.J drops the following files:

  • <Computer name>mplayer2.exe - copy of itself
  • <Computer name>mac.exe - malicious component also detected as Worm:Win32/Ructo.J


It then creates the following registry entry to be able to execute itself every time Windows starts:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "wmplayer"
With data: "<Computer name>mplayer2.exe"
Sets value: "mac"
With data: "<Computer name>mac.exe"

Worm:Win32/Ructo.J then opens an Internet Explorer window to the following webpage:

  • youtube.com/watch?v=Bb_9w_9sroE
Spreads via...

Windows Live Messenger

For it to spread via Windows Live Messenger, Worm:Win32/Ructo.J first checks the version of the file "%ProgramFiles%\Messenger\msgsc.dll". If the file version is not 4.7.0.3001, which is an old version, then it downloads the following:

  • videoschatjogos.servegame.com/part/win.rar


and saves it as "%ProgramFiles%\Messenger\msgsc.dll".

It then checks Windows Live Messenger for the following statuses:

  • MISTATUS_ONLINE
  • MISTATUS_AWAY
  • MISTATUS_BE_RIGHT_BACK
  • MISTATUS_BUSY
  • MISTATUS_UNKNOWN


If any of these statuses are found, Worm:Win32/Ructo.J attempts to send messages containing a hyperlink to the affected user's contacts. The hyperlink may point to a remotely-hosted copy of the worm.

In the wild, it has been observed to send out the following hyperlinks:

  • ferreirasilva678.com/<removed>.php
  • limamagalhaes.com/<removed>.php
  • limamagalhaes.tempsite.ws/<removed>.php
  • ssl5211.websiteseguro.com/ferreirasilva678/<removed>.php
  • ssl5474.websiteseguro.com/limamagalhaes/<removed>.php


Payload

Terminates processes

The malicious component dropped file "mac.exe" is responsible for terminating the following security-related processes if found in the affected computer:

  • AVGIDSAgent.exe
  • avgchsvx.exe
  • avgcsrvx.exe
  • avgemcx.exe
  • avgidsmonitor.exe
  • avgnsx.exe
  • avgrsx.exe
  • avgtray.exe
  • avgui.exe
  • avast.setup
  • AvastSvc.exe
  • AvastUI.exe


Lowers system security settings

Worm:Win32/Ructo.J lowers system security settings by creating the following registry entries:

In subkey: HKCU\Software\Microsoft\Internet Explorer\Download
Sets value: "RunInvalidSignatures"
With dataL "00000001"

In subkey: HKCU\Software\Microsoft\Internet Explorer\Download
Sets value: "CheckExeSignatures"
With dataL "no"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
Sets value: "SaveZoneInformation"
With dataL "00000001"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
Sets value: "LowRiskFileTypes"
With dataL ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;.scr;"

Downloads and executes arbitrary files

Worm:Win32/Ructo.J downloads the following files related to the Win32/Banker family:

  • vipshost1.myvnc.com/imagem/dll.rar - saved as "rEvents.dll" and registered as a Browser Helper Object
  • masterhost1.myvnc.com/imagem/up.rar - saved and executed as "up.exe"


Gathers chat logs

Worm:Win32/Ructo.J also the capability to gather chat logs or archives stored in the affected computer. It then sends these logs to a specific email address.



Analysis by Ric Robielos



Last update 06 September 2011

 

TOP

Malware :

Family: