Home / malware Worm:Win32/Tupym.A
First posted on 15 February 2019.
Source: MicrosoftAliases :
Worm:Win32/Tupym.A is also known as W32/Tupym.worm, WORM_SOHANAD.SM, Worm.Win32.AutoRun.fnc, W32/AutoRun-AOA, W32.Imaut.
Explanation :
Installation
When executed, Win32/Tupym copies itself to your computer as the following:
%windir%system3_.exesystem3_.exe
It makes changes to the system registry so that it automatically runs every time you start your computer:
In subkey: HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun
Sets value: "Yahoo Messengger"
With data: "system3_.exe"
In subkey: HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon
Sets value: "Shell"
With data: "explorer.exe system3_.exe"
It also tries to create a scheduled Windows task that runs the worm at 09:00 every day of the week, by running the following Windows shell command:
cmd.exe /C AT /delete /yes
cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,susystem3_.exe
It also creates the following file in your computer:
autorun.ini - detected as Win32/Tupym.A!inf Payload
Contacts remote hosts
Win32/Tupym may contact the following remote hosts using port 80:
h1.ripway.com www.balu000.0catch.com www.balu001.0catch.com www.balu002.0catch.com www.balu003.0catch.com www.balu004.0catch.com www.balu005.0catch.com www.balu006.0catch.com www.balu007.0catch.com
Commonly, malware may contact a remote host for the following purposes:
To confirm Internet connectivity To report a new infection to its author To receive configuration or other data To download and execute arbitrary files (including updates or additional malware) To receive instruction from a remote attacker To upload data taken from the affected computer
Analysis by Scott MolenkampLast update 15 February 2019
