Home / malwarePDF  

Win32.Evaman.C@mm (Win32.Linort.A@mm)


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Win32.Evaman.C@mm (Win32.Linort.A@mm) is also known as I-Worm.Mydoom.o, (KAV.

Explanation :

This worm is a typical mass-mailer arriving in infected attachments as zip archives and has a few improvements from its preceeding variants.

When run it creates a thread which scans all processes and their module names if they contain certain sub-strings, in which case the process is killed. These sub-strings are: uba, mc, Mc, av, AV, cc, sym, Sym, nv, can, scn, java, xp.exe, ecur, nti, erve, sss, iru, ort, SkyNet and KV.

Then it checks some registry key marks, to see if this is the first execution of the worm on victim machine. These keys are "HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionExplorerwinlibs" and "HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerwinlibs".

If none of them is found they are created and a "notepad" instance is spawned in order to foul the user.

Otherwise it attempts to create the mutex "NorthernLightMixed" to avoid a duplicate process running simultaneously.

Next the worm installs by self-copying in %system% directory with the name "winlibs.exe" followed by setting strings in "HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun" or "HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun" containing "winlibs.exe" which points to "%system%winlibs.exe".

Then it checks that the local date is above January 1, 2006 in which case the worm logs off the current user. Note that it already is set to run at startup and this results in a prompt log off just after any user logs in.

Finally it creates a thread to send emails and begins harvesting of email addresses. It searches in three stages:
1. Windows Address Book (WAB) via "HKCUSoftwareMicrosoftWABWAB4Wab File Name" registry entry
2. recursively in TIF using the location "%USERPROFILE%Local SettingsTemporary Internet Files"
3. recursively in drives from C: through Z: but only physical and ramdisk ones

The following file types are scanned for email addresses when recursive scanning is used: txt,dhtm, msg, htm, xml, eml, html, sht, shtm, shtml, jse, jsp, js, php, cfg, asp, ods, mmf, dbx, tbb, adb, pl and wab.

The sender may be one of the following: mike@, jennifer@, david@, linda@, susan@, nancy@, pamela@, eric@, kevin@, mary@, jessica@, patricia@, barbara@, karen@, sarah@, robert@, john@, daniel@, jason@ or joe@ with different domain names.

Attachment name is composed of one of the following names: mail, message, attachment, transcript, text, document, file or readme combined with one the following extensions: .exe, -txt.exe, -htm.exe or -txt.scr.

Subject may be one of the following:
SN: New secure mail
Secure delivery
failed transaction
Re: hello (Secure-Mail)
Re: Extended Mail
Delivery Status (Secure)
Re: Server Reply
SN: Server Status

The email addresses are filtered so that their domain names do not contain one of the following sub-strings: .edu, Bug, ugs, bug, upport, ICROSOFT, icrosoft, oot, dmin, ymat, avp, ecur, @MM, ebmast, help, opho, inpris, omain, senet, panda, 32., @mm, msn, inux, umit, nfo, irus, buse, orton, cafee, spam, Spam, SPAM, ntivi, eport, user, inzip, inrar, rend, pdate, USER, ating, ample, ists, persk, ccoun, ompu, msdn, YOU, you, oogle, arsoft, otmail, sarc, soft, ware, .gov, .mil, cribe, list, eturn, omment, Sale, sale, CRIBE, gmail, ruslis, ibm, win and !.

It was compiled with Visual C++ 6.00 and packed with UPX.

Last update 21 November 2011

 

TOP