Home / malware

PDF

Worm:W32/Todon.I

First posted on 08 December 2010.
Source: SecurityHome

Aliases :

There are no other names known for Worm:W32/Todon.I.

Explanation :

Worm:W32/Todon.I is a worm that spreads to new victim machines via infected removable and network drives. The worm also has trojan-downloader capabilities, as it attempts to download additional files from remote servers.

Additional DetailsWorm:W32/Todon.I distributes itself by dropping a copy of its own malicious file (using the filename vgjeuyj.exe)onto specified drives and creates an autorun.inf file that points to it. These drives (D to Z) may include both removable drives and network drives.

While active on the computer, the worm terminates a number of processes and also attempts to download additional files from remote sites.

Installation

The malware creates the following copies of itself:

• %Program Files%\meex.exe
• %Program Files%\Common Files\Microsoft Shared\juyplqk.exe
• %Program Files%\Common Files\System\civoabs.exe

The malware creates the following autorun.inf files:

• %Program Files%\Common Files\Microsoft Shared\brgknyg.inf
• %Program Files%\Common Files\System\brgknyg.inf

Activity

The malware terminates a large number of processes if they have windows that contain the following text strings:

• 木马
• 木馬
• 病毒
• 杀毒
• 殺毒
• 查毒
• 防毒
• 专杀
• 專殺
• 卡巴
• 江民
• 瑞星
• 毒霸
• 恶意软件
• 流氓软件
• 上报
• QQ安全
• 举报
• 报警
• 杀软
• 殺軟
• 防殺
• 防杀
• 专 杀
• 360安全
• :\ - WinRAR
• QQ医生
• 进程
• System
• Microsoft Shared
• 微点
• ä¸Šå ±
• èˆ‰å ±
• 诊断报告
• 2007
• 進程
• Process
• Virus
• Trojan
• Sysinternals

Registry Changes

The malware creates the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
vgjeuyj = %Program Files%\Common Files\Microsoft Shared\juyplqk.exe"
brgknyg = %Program Files%\Common Files\System\civoabs.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%executable%
Debugger = %Program Files%\Common Files\Microsoft Shared\juyplqk.exe

Where %executable% is any of the following:

• Ras.exe
• avp.com
• avp.exe
• runiep.exe
• PFW.exe
• FYFireWall.exe
• rfwmain.exe
• rfwsrv.exe
• KAVPF.exe
• KPFW32.exe
• nod32kui.exe
• nod32.exe
• Navapsvc.exe
• Navapw32.exe
• avconsol.exe
• webscanx.exe
• NPFMntor.exe
• vsstat.exe
• KPfwSvc.exe
• RavTask.exe
• Rav.exe
• RavMon.exe
• mmsk.exe
• WoptiClean.exe
• QQKav.exe
• QQDoctor.exe
• EGHOST.exe
• 360Safe.exe
• iparmo.exe
• adam.exe
• IceSword.exe
• 360rpt.exe
• 360tray.exe
• AgentSvr.exe
• AppSvc32.exe
• autoruns.exe
• avgrssvc.exe
• AvMonitor.exe
• CCenter.exe
• ccSvcHst.exe
• FileDsty.exe
• FTCleanerShell.exe
• HijackThis.exe
• Iparmor.exe
• isPwdSvc.exe
• kabaload.exe
• KaScrScn.SCR
• KASMain.exe
• KASTask.exe
• KAV32.exe
• KAVDX.exe
• KAVPFW.exe
• KAVSetup.exe
• KAVStart.exe
• KISLnchr.exe
• KMailMon.exe
• KMFilter.exe
• KPFW32X.exe
• KPFWSvc.exe
• KRegEx.exe
• KRepair.com
• KsLoader.exe
• KVCenter.kxp
• KvDetect.exe
• KvfwMcl.exe
• KVMonXP.kxp
• KVMonXP_1.kxp
• kvol.exe
• kvolself.exe
• KvReport.kxp
• KVScan.kxp
• KVSrvXP.exe
• KVStub.kxp
• kvupload.exe
• kvwsc.exe
• KvXP.kxp
• KvXP_1.kxp
• KWatch.exe
• KWatch9x.exe
• KWatchX.exe
• loaddll.exe
• MagicSet.exe
• mcconsol.exe
• mmqczj.exe
• nod32krn.exe
• PFWLiveUpdate.exe
• QHSET.exe
• RavMonD.exe
• RavStub.exe
• RegClean.exe
• rfwcfg.exe
• RfwMain.exe
• RsAgent.exe
• Rsaupd.exe
• safelive.exe
• scan32.exe
• shcfg32.exe
• SmartUp.exe
• SREng.EXE
• symlcsvc.exe
• SysSafe.exe
• TrojanDetector.exe
• Trojanwall.exe
• TrojDie.kxp
• UIHost.exe
• UmxAgent.exe
• UmxAttachment.exe
• UmxCfg.exe
• UmxFwHlp.exe
• UmxPol.exe
• UpLive.exe
• upiea.exe
• AST.exe
• ArSwp.exe
• USBCleaner.exe
• rstrui.exe
• QQLiveUpdate.exe
• QQUpdateCenter.exe
• Timwp.exe

Downloads

The malware attempts to download files from the following locations:

• http://www.[removed]/TDown1.exe
• http://www.[removed]/ReadDown.txt

Last update 08 December 2010

 

TOP