Home / malware Worm:Win32/Rawspods.A
First posted on 28 December 2011.
Source: MicrosoftAliases :
Worm:Win32/Rawspods.A is also known as Trojan.Win32.Scar.egqq (Kaspersky), W32.SillyFDC (Symantec).
Explanation :
Worm:Win32/Rawspods.A is a worm that spreads to removable drives. The worm also connects to a remote host in order to perform its malicious payload.
Top
Worm:Win32/Rawspods.A is a worm that spreads to removable drives. The worm also connects to a remote host in order to perform its malicious payload. Installation When executed, Worm:Win32/Rawspods.A copies itself as the following file:The worm modifies the following registry entries to ensure that its copy executes at each Windows start:
- %ProgramFiles%\waragent\< malware file name>.exe (for example: "C:\Program Files\waragent\Waragent003.exe")
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Windows Operating Dynamic Services"
With data: ""c:\program files\waragent\<malware file>.exe" /autostart"
The malware creates the following files on an affected computer:
Spreads via...
- %programfiles%\waragent\settings\settings.lst
- %programfiles%\waragent\settings\settings.lst-journal
Removable drives
Worm:Win32/Rawspods.A drops a copy of the worm to removable drives. The worm may write an Autorun configuration file named "autorun.inf" pointing to the worm copy. When the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically.
Payload Contacts remote host Worm:Win32/Rawspods.A may contact a remote host at comlink.subwar.net using port 80. At the time of this writing, the requested URL was unavailable for analysis. Commonly, malware may contact a remote host for the following purposes:
- To report a new infection to its author
- To receive configuration or other data
- To download and execute arbitrary files (including updates or additional malware)
- To receive instruction from a remote attacker
- To upload data taken from the affected computer
Analysis by Haoran Yu
Last update 28 December 2011
