Home / malware

PDF

Worm:Win32/Vercuser

First posted on 24 April 2015.
Source: Microsoft

Aliases :

There are no other names known for Worm:Win32/Vercuser.

Explanation :

Threat behavior

Installation
Typically, this threat gets onto your PC from a drive-by download attack. It can also be installed when you visit a compromised webpage or use an infected removable drive. This threat also receives commands from a remote server to run in your PC. This threat can also drop a copy of itself in the following directory in a removable drive. The dropped file should have the Read-Only
, Hidden
, and System
file attribute when it is dropped in removable drives. System attributes are hidden in GUIs but can be seen in command-line tools.

• %Removable drive%\USB\Data\SecureDrive.exe

The following component files are also added:

• %Removable drive%\autorun.inf
• %Removable drive%\USB\Data\Desktop.ini
• %Removable drive%\USB\Desktop.ini

Installation logic

This threat also drops a copy of itself in
> %APPDATA%\Microsoft\Windows\~temp~<*>iN.exe
..where <*> can be any of the following options, as you can see each construct needs a specific parameter to execute:

• Filename matches this regular expression "^~temp~[0-9]{5}iN\.exe" executed with €œin€ parameter (installer mode)
  For example: ~temp~12345iN.exe in
• Filename matches this regular expression "^~temp~[0-9]{10}iN\.exe" executed with €œwin€ parameter (injector mode)
  For example: ~temp~1234567890iN.exe win
  in some cases it can have something like the one below. It is used to set services and hide folders.
• Filename matches this regular expression ".*\\hsperfdata_temp\\~temp~clear~[0-9]{5}\.exe" executed with €œcleartemp€ parameter
  For example: ~temp~clear~32165.exe cleartemp

This threat also creates the following registry entries so that it runs each time you start your PC.

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
With data: 'SecurityUpdate<5 random numbers>'
Sets value: "%APPDATA%\Microsoft\Windows\~temp~<5 random numbers>iN.exe" in"

Earlier versions of this threat can create the auto start registry keys below:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
With data: Internet Security
Sets value:



Spreads through...

Removable drives

The worm typically speads through an infected removable drive which might have been infected during a drive-by download attack from visiting a compromised website.

Payload


Drops other malware

We have seen this threat drops malware files detected as Backdoor:Win32/Poison.E. These files are dropped in the "%TEMP%\~DF%nnn%KB.tmp.exe" directory where nnn is any number from 10000 to 99999

Connects to a remote host to downloads and run files

This threat attempts to connect to the following server and ports to download and run files:

• connektme.hopto.org:7539
• connektme.no-ip.org:6460
• drwebstatic.hopto.org:8888
• drwebstatic.myvnc.com:9999
• easyconnect.no-ip.org:4444
• easyconnect.zapto.org:3333
• gserverhost.myftp.org:5555
• gserverhost.no-ip.biz:6666
• hellointra.myftp.org:3440
• hellointra.no-ip.org:3460
• namesvrone.myftp.org:8989
• namesvrtwo.serveftp.com:8888
• sap123.no-ip.biz:3480
• sap123.servehttp.com:5460
• staticone.hopto.org:9898
• statictwo.myftp.org:9999

Deletes other files

This worm also checks for the following files and deletes them when found.

• %Removable drive%\System\AutoDrive.exe
• %Removable drive%\Passwords.exe

The files can be old versions of the worm or another version from rival malware group distributing the same type of malware.

Disguises itself as a legitimate tool to evade detection

Some variants of this worm also use "Microsoft Malware Removal Tool" as its window title evade antivirus process inspection.

It can also drop a copy of itself and disguise as "Windows Defender" in the following directory:

• %ProgramFiles%\Windows Defender\MSASCui.exe

It also creates the following shortcut pointing to the malware:

• %startupcommon%\Windows Defender.lnk
• %startup%\Windows Defender.lnk

For example:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
With data: Windows Defender
Sets value: %ProgramFiles%\Windows Defender\MSASCui.exe

Note: To confirm whether you are using a legitimate version of "Microsoft Malware Removal Tool" and not a copy of this threat, the Microsoft tool has a user interface, while the malware do not have that window. See http://www.microsoft.com/en-gb/security/pc-security/malware-removal.aspx for details.

This worm can also disguise as Internet Explorer and is installed in any of the following files:

• %programfilesdir%\Internet Explorer\iexplore.dll
• %programfilesdir%\Internet Explorer\iexplore.exe
• %programfilesdir%\Internet Explorer\ieinstal.dll

Modifies System Security Settings

It also modifies the following registry entries to hide its file components.

• In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
  With data: Hidden
  Sets value: 2
• In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
  With data: HideFileExt
  Sets value: 1
• In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
  With data: ShowSuperHidden
  Sets value: 0
• In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt
  With data: DefaultValue
  Sets value: 1
• In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt
  With data: CheckedValue
  Sets value: 1
• In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN
  With data: CheckedValue
  Sets value: 2
• In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN
  With data: DefaultValue
  Sets value: 2
• In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
  With data: CheckedValue
  Sets value: 1
• In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
  With data: DefaultValue
  Sets value: 2
• In subkey: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
  With data: CheckedValue
  Sets value: 0
• In subkey: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
  With data: DefaultValuec
  Sets value: 0
• In subkey: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
  With data: UncheckedValue
  Sets value: 0

Additional information

This threat also does system checks and terminates any of the following processes to evade detection.

• Registry checks - Checks system security processes with the following titles:
• Window Title: WhatChanged
  Window Class: #32770
  Window Text:LOCAL MACHINE
• Window Title: Blue Project Software SysTracer
  Window Text: Take snapshot
• Window Title: SpyMe Tools
  Window Text: Scan
• Window Title: Regshot
  Window Class: #32770
  Window Text: 1st shot
• Window Title: Process Monitor
  Window Class: PROCMON_WINDOW_CLASS
• Window Title: Autoruns
  Window Class: Autoruns
  
• Process checks
• Window Title: Process Monitor
  Window Class: PROCMON_WINDOW_CLASS
• Window Class: Class_PLMain
• Window Class: PROCEXPL
• Window Class: ProcessHacker
• Window Class: AnVirMainFrame
• Window Title: System Explorer
  Window Class: TMainForm.UnicodeClass
• Window Title: Registry Editor
  Window Class: RegEdit_RegEdit
• Virtual Machines - Checks the following registry keys in virtual machines:
• HKLM\SOFTWARE\Microsoft\Hyper-V
• HKLM\HARDWARE\ACPI\DSDT\Xen
• HKLM\HARDWARE\ACPI\FADT\Xen
• HKLM\HARDWARE\ACPI\RSDT\Xen
• HKLM\HARDWARE\ACPI\FADT\VBOX__
• HKLM\HARDWARE\ACPI\RSDT\VBOX__
• HKLM, HARDWARE\ACPI\DSDT\VBOX__
• HKLM\HARDWARE\DEVICEMAP\Scsi
• Contains any of the following
• VMware
• Virtual IDE
• Virtual HD
• Virtual Machine,
• VBOX HARDDISK
• HKLM\SOFTWARE\VMware`, Inc.
• HKLM\SYSTEM\CurrentControlSet\services\VBoxService
• %programfilesDir%\Oracle\VirtualBox
• %programfilesDir%\VMware

Symptoms

The following can indicate that you have this threat on your PC:

• You have any of the following files in these directories:
• %Removable drive%\USB\Data\SecureDrive.ex
• %Removable drive%\autorun.in
• %Removable drive%\USB\Data\Desktop.in
• %Removable drive%\USB\Desktop.ini
• You see the following registry modifications:
• In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
  With data: Hidden
  Sets value: 2
• In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
  With data: HideFileExt
  Sets value: 1
• In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
  With data: ShowSuperHidden
  Sets value: 0
• In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt
  With data: DefaultValue
  Sets value: 1
• In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt
  With data: CheckedValue
  Sets value: 1
• In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN
  With data: CheckedValue
  Sets value: 2
• In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN
  With data: DefaultValue
  Sets value: 2
• In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
  With data: CheckedValue
  Sets value: 1
• In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
  With data: DefaultValue
  Sets value: 2
• In subkey: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
  With data: CheckedValue
  Sets value: 0
• In subkey: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
  With data: DefaultValuec
  Sets value: 0
• In subkey: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
  With data: UncheckedValue
  Sets value: 0

Last update 24 April 2015

 

TOP