Home / malwarePDF  

Worm:Win32/Phdet.A


First posted on 26 July 2012.
Source: Microsoft

Aliases :

Worm:Win32/Phdet.A is also known as Trojan.Win32.Scar.dncv (Kaspersky), TR/Scar.djno (Avira), Mal/PHDet-DAA (Sophos), W32.Printlove (Symantec).

Explanation :



Worm:Win32/Phdet.A is a worm that spreads via removable drives and the software vulnerability described in CVE-2010-2729 and resolved with Microsoft Security Bulletin MS10-061. If it spreads unsuccessfully to network computers using the software vulnerability, it prints out garbage data instead on a network printer.

Worm:Win32/Phdet.A lowers the security settings in Microsoft Word and sends information about your computer to remote servers.



Installation

When run, Worm:Win32/Phdet.A drops the following files:

  • %TEMP%\dll7.tmp.dll - also detected as Worm:Win32/Phdet.A
  • %TEMP%\vbs8.tmp.vbs - script that calls %TEMP%\dll7.tmp.dll


It creates the mutex "Global\{66C44A83-3E94-438b-8278-812E2D8D603F}" to ensure that only one instance of itself is running at any given time.

Spreads via...

Mapped drives

Worm:Win32/Phdet.A enumerates all mapped drives. If any of these drives are writeable, Worm:Win32/Phdet.A drops the following files in them:

  • <drive:>\thumbs.exe - copy of itself
  • <drive:>\autorun.inf - file that automatically runs <drive:>\thumbs.exe when the drive is accessed and if Autorun is enabled


Software vulnerabilities

Worm:Win32/Phdet.A enumerates all network resources. It checks if a network printer exists. If it does, Worm:Win32/Phdet.A uses the vulnerability described in CVE-2010-2729 to copy itself into the Windows system folders of other computers in the network.

The vulnerability described in CVE-2010-2729 has been resolved with the release of Microsoft Security Bulletin MS10-061. If Worm:Win32/Phdet.A finds that the security bulletin has been applied to network computers, the network computers print garbled data through the network printers instead.



Payload

Lowers system security

Worm:Win32/Phdet.A sets the following registry entries, which enables the "Trust access to Visual Basic project" setting in Microsoft Word:

In subkeys:
HKCU\Software\Microsoft\Office\8.0\Word\Security
HKCU\Software\Microsoft\Office\10.0\Word\Security
HKCU\Software\Microsoft\Office\11.0\Word\Security
HKCU\Software\Microsoft\Office\12.0\Word\Security
Sets value: "AccessVBOM"
With data: "1"

This allows its dropped script "vbs8.tmp.vbs" to automatically run whenever you open Microsoft Word. This script, in turn, runs the DLL version of this worm.

Steals computer information

Worm:Win32/Phdet.A gets the volume serial number of C: and the computer name. It then sends this information to a remote server. Two of the servers it is known to connect to are:

  • systemreboots.com
  • respecto.co.cc




Analysis by Jaime Wong

Last update 26 July 2012

 

TOP

Malware :

Family: