Home / malwarePDF  

Worm:Win32/Vormus.A


First posted on 27 March 2009.
Source: SecurityHome

Aliases :

Worm:Win32/Vormus.A is also known as Also Known As:Win32/Markadoo.A (CA), Worm.Win32.AutoRun.aawz (Kaspersky), Win32/AutoRun.VB.BT (ESET), :W32/Sapo.A.worm (Panda).

Explanation :

Worm:Win32/Vormus.A is a worm that spreads via removable drives. It modifies system settings, such as disabling Control Panel, the Command Prompt, Task Manager, and Registry editing tools.

Symptoms
System ChangesThe following system changes may indicate the presence of this malware:

  • The presence of the following files:
    %windir%mcvmmc.dll.exe
    <system folder>shell32.dll.exe
  • The presence of the following registry modifications:
    Added value: "explorer "
    With data: "%windir%mcvmmc.dll.exe"
    To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun

    Added value: "MCVMMC "
    With data: "mcvmmc.dll.exe"
    To subkey: HKLMSYSTEMCurrentControlSetControlSession ManagerKnownDLLs

    Added value: shell
    With data: "explorer.exe shell32.dll.exe"
    To subkey: HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon


    • Worm:Win32/Vormus.A is a worm that spreads via removable drives. It modifies system settings, such as disabling Control Panel, the Command Prompt, Task Manager, and Registry editing tools.

    Installation
    Upon execution, Worm:Win32/Vormus.A copies itself into the following files:
  • %windir%mcvmmc.dll.exe
  • <system folder>shell32.dll.exe
    • Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:WinntSystem32; and for XP and Vista is C:WindowsSystem32. It may modify the system registry so that it automatically run every time Windows starts up: Adds value: "explorer "
    With data: "%windir%mcvmmc.dll.exe"
    To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun Adds value: "MCVMMC "
    With data: "mcvmmc.dll.exe"
    To subkey: HKLMSYSTEMCurrentControlSetControlSession ManagerKnownDLLs It may modify the registry to ensure that a copy of the worm is executed at each Windows logon (see the "Spreads Via..." section below): Adds value: shell
    With data: "explorer.exe shell32.dll.exe"
    To subkey: HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogonSpreads Via...Removable DrivesWorm:Win32/Vormus.A spreads on all removable devices by dropping the following files in the root of all removable drives:
  • shell32.dll.exe - copy of this worm
  • autorun.inf - INF file that enables the worm copy to automatically run when the drive is accessed


    • Payload
    Modifies System SettingsWorm:Win32/Vormus.A may perform the following system changes:
  • Removes the folder options item from all Windows Explorer menus and from the Control Panel:
    Adds value: "NoFolderOptions"
    With data: "1"
    To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer
  • Removes shortcut menus from the desktop and from Windows Explorer:
    Adds value: "NoViewContextMenu"
    With data: "1"
    To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer
  • Prevents users from accessing the Control Panel and any Control Panel program:
    Adds value: "NoControlPanel"
    With data: "1"
    To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer
  • Disables the use of registry editors and prevents users from starting Task Manager:
    Adds value: "DisableRegistryTools"
    With data: "1"
    To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
  • Adds value: "DisableTaskMgr"
    With data: "1"
    To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
  • Disables the command prompt 'Cmd.exe':
    Adds value: "DisableCMD"
    With data: 2
    To subkey: HKCUSoftwarePoliciesMicrosoftWindowsSystem


    • Analysis by Wei Li

    Last update 27 March 2009

     

    TOP

    Malware :

    Family: