Home / malwarePDF  

Worm:Win32/Wecykler.A


First posted on 29 November 2012.
Source: Microsoft

Aliases :

Worm:Win32/Wecykler.A is also known as Trojan/Win32.Cosmu (AhnLab), Worm.Win32.Fednu.k (Rising AV).

Explanation :



Worm:Win32/Wecykler.A is a worm that spreads via removable drives, such as USB sticks. It also terminates some security related processes, and logs keystrokes.



Installation

Worm:Win32/Wecykler.A creates copies of itself as the following:

  • %ProgramFiles%\Windows Alerter\WinAlert.exe
  • %ProgramFiles%\Windows Common Files\Commgr.exe


The folders where its copies are located are hidden.

It also creates a hidden copy of itself as the following:

  • C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe


Worm:Win32/Wecykler.A modifies the following registry entries to ensure that its copy runs every time Windows starts:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "WindowMessenger"
With data: "C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Windows Alerter"
With data: "%ProgramFiles%\Windows Alerter\WinAlert.exe"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: ""Windows Common Files Manager""
With data: "%ProgramFiles%\Windows Common Files\Commgr.exe"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "WindowMessenger"
With data: "C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe"

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Windows Alerter"
With data: "%ProgramFiles%\Windows Alerter\WinAlert.exe"

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: ""Windows Common Files Manager""
With data: "%ProgramFiles%\Windows Common Files\Commgr.exe"

Spreads via...

Removable drives

Worm:Win32/Wecykler.A periodically checks removable drives, for example, floppy drives, USB sticks, and flash card readers. If one is found, it copies itself into this drive, using the same file name as that of the running malware. Worm:Win32/Wecykler.A uses a folder icon for its copy in an attempt to trick you ito thinking that it is merely a folder.



Payload

Logs keystrokes

Worm:Win32/Wecykler.A may log keystrokes and save them in a file named "info", for example:

C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\info

Terminates processes

Worm:Win32/Wecykler.A may terminate security-related processes on your computer, including:

  • acs.exe
  • agrs.exe
  • anti-trojan.exe
  • ants.exe
  • aswboot.exe
  • atwatch.exe
  • avast.exe
  • avengine.exe
  • avgcc32.exe
  • avgemc.exe
  • avgfree.exe
  • avgnt.exe
  • avgsetup.exe
  • avguard.exe
  • avnt.exe
  • avp.exe
  • avpcc.exe
  • avsched32.exe
  • bdagent.exe
  • blackice.exe
  • btdfbr.exe
  • btrl.exe
  • btscan.exe
  • ccapp.exe
  • ccleaner.exe
  • ccproxy.exe
  • ccsvchost.exe
  • cleaner.exe
  • cmd.exe
  • emlproui.exe
  • emlproxy.exe
  • fameh32.exe
  • fch32.exe
  • fih32.exe
  • fnrb32.exe
  • fsaa.exe
  • fsav.exe
  • fsav32.exe
  • fsgk32.exe
  • fsm32.exe
  • fsma32.exe
  • kavpf.exe
  • kpf4ss.exe
  • lockdown.exe
  • mcnasvc.exe
  • mcproxy.exe
  • mcregist.exe
  • mcshield.exe
  • mcsysmon.exe
  • mmc.exe
  • mpfservice.exe
  • msconfig.exe
  • msmscsvc.exe
  • navapsvc.exe
  • navw32.exe
  • nisserv.exe
  • nisum.exe
  • nod32.exe
  • nod32krn.exe
  • onlinent.exe
  • opssvc.exe
  • outpost.exe
  • payfires.exe
  • payproxy.exe
  • pccntmon.exe
  • persfw.exe
  • qhunpack.exe
  • quhlpsvc.exe
  • realmon.exe
  • reg.exe
  • regedit.exe
  • rstrui.exe
  • scanner.exe
  • scanwscs.exe
  • sensor.exe
  • siteadv.exe
  • smc.exe
  • tasklist.exe
  • taskmgr.exe
  • taumon.exe
  • tds-3.exe
  • tsnt2008.exe
  • upschd.exe
  • usbguard.exe
  • vbcons.exe
  • vsserv.exe
  • vsstat.exe
  • watchdog.exe
  • ymsgrtray.exe
  • zapro.exe
  • zonealarm.exe




Analysis by Jireh Sanico

Last update 29 November 2012

 

TOP

Malware :

Family: