Home / malware Worm:Win32/Ambler.A
First posted on 04 January 2010.
Source: SecurityHomeAliases :
Worm:Win32/Ambler.A is also known as Trojan.Win32.Vilsel.ppi (Kaspersky), Trojan.Generic.CJ.AIET (BitDefender), Win32/Spy.Ambler.BB (ESET), Trojan-Downloader.Win32.BHO.lcp (Kaspersky), BHO.JTM (AVG), Win32/Spy.Ambler.M (ESET).
Explanation :
Worm:Win32/Ambler.A is a worm that spreads via networked and removable drives, and attempts to steal sensitive information, such as passwords, from an affected computer.
Top
Worm:Win32/Ambler.A is a worm that spreads via removable drives, and attempts to steal sensitive information, such as passwords, from an affected computer.
Installation
When run, Worm:Win32/Ambler.A drops several randomly-named files onto the system. These file names vary from one instance of Ambler to the next, but in the wild one example has been observed to create the following files:<system folder>\inform.dat (an encrypted copy of itself) <system folder>\klpl1.dll <system folder>\uiv Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. Ambler launches the dropped DLL component and registers itself as a BHO. It makes a number of registry modifications in order to facilitate its actions on the affected computer. For example, one variant made the following registry modifications: Sets value: "(Default)"
With data: "DCOM service"Sets value: "Locale" With data: "EN"Sets value: "StubPath"
With data: "rundll32 klpl1.dll,laspi"Sets value: "IsInstalled"
With data: "1"Sets value: "Version"
With data: "4,3,6,3"To subkey: HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{859374EE-7A74-4844-A161-33A579B1C4A6} Sets value: "BN"
With data: "@g[g."To subkey: HKLM\Software\MSN Sets value: "(default)"
With data: "msn helper"To subkey: HKLM\SOFTWARE\Classes\CLSID\{D62023F8-B0B6-4381-8C85-D07E5C45CA76} Sets value: "(default)"
With data: "klpl1.dll"To subkey: HKLM\SOFTWARE\Classes\CLSID\{D62023F8-B0B6-4381-8C85-D07E5C45CA76}\InprocServer32 Sets value: "(default)"
With data: "glok"To subkey: HKLM\SOFTWARE\Classes\CLSID\{D62023F8-B0B6-4381-8C85-D07E5C45CA76}\ProgID Sets "(default)"
With data: "{7357e059-704b-43b2-b82a-024510b52945}"To subkey: HKLM\SOFTWARE\Classes\CLSID\{D62023F8-B0B6-4381-8C85-D07E5C45CA76}\TypeLib Sets value: "DisableTaskMgr"
With data: "1"To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System Sets value: "DisableRegistryTools"
With data: "1"To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System Sets "dcom"
With data: "rundll32.exe klp1l.dll,ID"To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceSpreads via€¦ Removable drivesAmbler may attempt to spread via removable drives. It does this by creating a directory called RECYCLER in the root of the removable drive. In then copies itself into this directory, with a file name such as €œrecycld.exe€. For example: <targeted drive>:\RECYCLER\recycld.exe The worm also creates an autorun.inf file in the root directory of the drive in order to launch the worm if, for example, the drive is connected to another machine. The worm sets the hidden and system attributes for all of the aforementioned directories and files.
Payload
Steals sensitive informationThis worm attempts to steal stored passwords from the following locations:Microsoft Outlook Express Internet Explorer password protected sites MSN Explorer Signup Internet Explorer auto complete fields Internet Explorer auto complete passwords Internet cookies Passwords stored in pstore.dll It may then create the following files in the <system folder> in order to store the stolen data:
m1.dat
o6.dat
br1.dat
ca.dat
nk.dat
o3.dat
l4.dat
jc.dat
c2d.dat
idm.dat
pld.dat
q1.dat
ck.dat
bx.dat
xd.dat Stolen data is sent to a remote attacker. In the wild, Worm:Win32/Ambler.A has been observed to contact testthenewsource.net for this purpose.
Analysis by Tim LiuLast update 04 January 2010
