Home / malware Worm:Win32/Synigh.A
First posted on 10 March 2009.
Source: SecurityHomeAliases :
Worm:Win32/Synigh.A is also known as Also Known As:Win32/IRCbot.CK (Microsoft), Win32/Aimbot.worm.15872 (AhnLab), Virus.Win32.PureMorph (other), Trojan.Win32.Inject.ord (Kaspersky), Troj/Agent-IWJ (Sophos), Suspicious.MH690 (Symantec).
Explanation :
Worm:Win32/Synigh.A is a worm that spreads to other computers across a network. It also has a backdoor component that is capable of connecting to an IRC server and executing commands from a remote attacker.
Symptoms
System ChangesThe following system changes may indicate the presence of this malware:The presence of the following files:
<system folder>system.exe - this is a hidden file so you may first have to configure your system to display hidden filesThe presence of the following registry modifications:
Added value: "Content Type"
With data: "text/x-component"
To subkey: HKCR.htc
Added value: "NvCplDaemon"
With data: "<system folder>system.exe"
To subkey: HKLMSoftwareMicrosoftWindowsCurrentVersionRun
Worm:Win32/Synigh.A is a worm that spreads to other computers across a network. It also has a backdoor component that is capable of connecting to an IRC server and executing commands from a remote attacker.
Installation
Worm:Win32/Synigh.A creates the following files in the system:<system folder>system.exe - copy of itself as a hidden file <system folder><3 digit number>.exe - another copy of itself %temp%<5 digit number>.sys - a rootkit driver, detected as VirTool:WinNT/Rootkitdrv.GH Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:WinntSystem32; and for XP and Vista is C:WindowsSystem32. It creates the mutex "NvCplDaemon" and the following registry entry: Adds value: "Content Type"
With data: "text/x-component"
To subkey: HKCR.htc It also creates the following registry entry to enable its copy to run every time Windows starts: Modifies value: ""From data: "<system folder>userinit.exe"
With data: "<system folder>userinit.exe,<system folder>system.exe"
To subkey: HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon Adds value: "NvCplDaemon"
With data: "<system folder>system.exe"
To subkey: HKLMSoftwareMicrosoftWindowsCurrentVersionRun If any of the above autorun registry entries are modified or deleted, Worm:Win32/Synigh.A recreates them. It also monitors the following registry key to check if its copies are pending for renaming:
HKLMSYSTEMCurrentControlSetControlSession ManagerPendingFileRenameOperations If an entry exists for any of its copies, that entry is removed to prevent them from being renamed. Worm:Win32/Synigh.A also injects malware code into "explorer.exe".Spreads Via...Removable DrivesWorm:Win32/Synigh.A may spread to other systems via removable drives. If a removable drive, such as a flash drive or a portable hard disk, is present in the system, Worm:Win32/Synigh.A drops the following files in it:explorer.exe - copy of itself autorun.inf - INF file that enables the backdoor copy to automatically run every time the drive is accessed and Autorun is enabled MS08-067Worm:Win32/Synigh.A may spread to other systems that are unpatched against the vulnerability discussed in Microsoft Security Bulletin MS08-067. It creates a thread that scans for possible exploitable machines and, if found, copies itself in the system. Yahoo! MessengerWorm:Win32/Synigh.A may spread via Yahoo! Messenger. If Yahoo! Messenger is currently active in the system, it spreads by sending a copy of itself to all of the user's contacts.
Payload
Bypasses FirewallWorm:Win32/Synigh.A bypasses the system firewall by adding itself to the firewall exception list: Adds value: ""
With data: "<system folder>system.exe:*:Enabled:NvCplDaemon"
To subkey: HKLMSYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList Modifies System DateWorm:Win32/Synigh.A modifies the system date to January 1, 2090. Backdoor FunctionalityWorm:Win32/Synigh.A attempts to connect to the IRC server "sex.pornoturkiye.com" via TCP port 81. Once connected, an attacker can instruct this backdoor to download and execute files, scan for other systems, perform Denial of Service attacks, and attempt to access systems vulnerable to certain exploits. Blocks MSN CommunicationWorm:Win32/Synigh.A checks if MSN Messenger is active in the system. If it is, it blocks all communication between the user and the user's contacts.
Analysis by Scott Molenkamp and Patrik VicolLast update 10 March 2009
