Home / malwarePDF  

Worm:Win32/Darksnow.A


First posted on 18 April 2012.
Source: Microsoft

Aliases :

Worm:Win32/Darksnow.A is also known as Worm:Win32/Tufik.F (other), Win32/Whiteice.worm.35377 (AhnLab), Win32/Tufik.A (AVG), Backdoor.Bot.90971 (BitDefender), WIN.WORM.Virus (Dr.Web), Worm.Win32.WhiteIce.c (Kaspersky), W32/Tufik.worm.gen (McAfee), W32/Packed_FSG.D (Norman), Mal/TinyDL-T (other).

Explanation :

Worm:Win32/DarkSnow.A is a worm that copies itself to attached drives and infects files stored both locally and on attached drives. Some variants may terminate security related applications.
Top

Worm:Win32/DarkSnow.A is a worm that copies itself to attached drives and infects files stored both locally and on attached drives. Some variants may terminate security related applications. InstallationThis worm is installed when a user opens files infected by Virus:O97M/DarkSnow.A or runs files infected with Virus:Win32/DarkSnow.A. When opening a Virus:O97M/DarkSnow.A infected Excel workbook and the macro executes, it creates a new workbook into the XLSTART folder as 'book1.xls' and then infects the newly created workbook and workbooks opened in Excel. The macro contains a base64 encoded copy of Worm:Win32/DarkSnow.A that is dropped when the macro is allowed to execute. When opening a Virus:O97M/DarkSnow.A infected Word document and the macro executes, it infects the global template 'normal.dot'. Once the global template is infected, it infects newly created documents in Word. Both forms of the macro virus contain a base64 encoded copy of Worm:Win32/DarkSnow.A that is dropped and run as mentioned below. When a Virus:Win32/DarkSnow.A infected file is run, it drops a copy of Worm:Win32/DarkSnow.A as the following: %temp%\bk_1.tmp - Worm:Win32/DarkSnow.A The dropped worm copy is executed and it creates a mutex "blackicemutex". It then copies itself as the following files: <system folder>\blackice.exe - Worm:Win32/DarkSnow.A<system folder>\kernel.dll - Worm:Win32/DarkSnow.A The file properties of 'blackice.exe' are set to system, hidden and read-only. The registry is modified to run the dropped copy 'blackice.exe' at Windows start. Adds value: "run"With data: "<system folder>\blackice.exe"To subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Modifies value: "Shell"With data: "Explorer <system folder>\blackice.exe"In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon The Windows configuration files 'system.ini' and 'win.ini' are also modified to execute the worm copy at Windows start. The worm makes the following change to '%windir%\win.ini' within the "[load]" section:run=<system folder>\blackice.exe The worm makes the following change to '%windir%\system.ini' within the "[boot]" section:shell=explorer.exe <system folder>\blackice.exe Note: The configuration files 'system.ini' and 'win.ini' contain driver load parameters and other Windows configurations - they are primarily used by Windows 9x (95/98/Me) and in some cases Windows XP. Spreads Via€¦ Removable DrivesA thread is created that copies Worm:Win32/DarkSnow.A to inserted USB drives as the currently running process, usually "blackice.exe" but in some cases "bk_1.tmp". The worm then writes an AutoRun configuration file named 'autorun.inf' pointing to the worm copy. When the removable or networked drive is accessed from another machine supporting the AutoRun feature, the malware is launched automatically. File InfectionAnother thread is created to search all drives and attempt to infect files with extension .EXE, .DOC and .XLS. When an infected executable is run, it drops and installs a copy of the worm as mentioned above. When infecting .DOC and .XLS files, Worm:Win32/DarkSnow.A first checks if the string '<!!blackice>' is present. If the string is not found, the worm then infects the found Microsoft Office format files. Payload Terminates ApplicationsSome variants of this threat may terminate security applications containing strings related to security applications as in the following examples: 360SAFE
ANYVIEW
AVP
EGHOST
IPARMOR
KASPERSKY
KAV32
KAVPFW
KAVSVCUI
KAVSVC
KVMONXP
KVSRVXP
KVFW
KVWSC
KVXP
KWATCHUI
NAVAPSVC
NAVW32
NMAIN
NOD32
PFW
RAV.EXE
RAVMOND
RAVMON
RAVTIMER
RISING
SCAN32
THGUARD
TROJANHUNTER Collects and Sends Information to Remote SitesThe worm gathers information about the infected computer such as

  • computer MAC address
  • hard drive volume serial number
  • hostname
The worm may download a file 'url.txt' from one of the following predefined remote websites:fmtwld.zj.com
fmtwld.vicp.net The file is stored temporarily as '<system folder>\blackice.ini' and may contain a list of other remote websites. The collected data may then be sent in the following format to the remote sites: <site>?mac=<mac address>&serial=<volume serial number>&hostname=<localhostname>&version=1.1 The temporary file '<system folder>\blackice.ini' is later deleted. Lowers Macro SecurityWorm:Win32/DarkSnow.A lowers Microsoft Word and Excel macro security by modifying registry data. Modifies value: "Level"With data: "1"In subkeys:HKCU\Software\Microsoft\Office\<version>\Excel\SecurityHKCU\Software\Microsoft\Office\<version>\Word\Security

Analysis by Dan Kurc

Last update 18 April 2012

 

TOP