Home / malware Worm:Win32/Cubspewt.A
First posted on 07 April 2019.
Source: MicrosoftAliases :
Worm:Win32/Cubspewt.A is also known as Win32/Cubspewt.B, Backdoor.Win32.Rbot.adzn, W32/Spybot.DTTN, Mal/AutoRun-H, Worm.Rbot.AOMT, Win32/AutoRun.IRCBot.BR, W32/Sdbot.worm.gen, W32/Sdbot.MDQ.worm, W32.SillyFDC.
Explanation :
Worm:Win32/Cubspewt.A is a worm that modifies certain system settings. InstallationWorm:Win32/Cubspewt.A drops the following files in the hidden folder 'C:Windowssystem32 ': smss.exe - copy of itself; has a file name similar to an existing Windows file in the actual Windows system folder Note that the folder name 'system32 ', which is created by this worm, includes a space character. This ensures that the folder is hidden in the system and thus is not seen by the user. It ensures that its dropped copy is run every time an executable file is run in the system: Modifies value: "(Default)"
From data: ""%1" %*"
To data: ""C:Windowssystem32 smss.exe" "%1" %*"
To subkey: HKCRexefileshellopencommand Worm:Win32/Cubspewt.A also modifies the system registry so that its dropped copy automatically runs every time Windows starts: Adds value: "userinit"
With data: "userinit.exe, C:Windowssystem32 smss.exe"
To subkey: HKLMSoftwareMicrosoftWindows NTCurrentVersionwinlogon It also creates the following entries as part of its installation routine: Adds value: "id"
With data: "1"
Adds value: "Name"
With data: "SMS Services"
To subkey: HKCUConsole Spreads via… Removable drivesWorm:Win32/Cubspewt.A copies itself into all removable drives as the file 'smss.exe'. It also drops the file 'autorun.inf' to ensure that its copy is automatically run when the drive is accessed and Autorun is enabled. Payload Modifies system settingsWorm:Win32/Cubspewt.A changes several system settings, including: Disables Windows service pack updates via Windows Update or Auto Update (WU/AU)
Adds value: "DoNotAllowXPSP2"
With data: "01, 00, 00, 00"
Adds value: "DoNotAllowXPSP3"
With data: "01, 00, 00, 00"
To subkey: HKLMSOFTWAREPoliciesMicrosoftWindowsWindowsUpdate Hides system files and disables the Windows Explorer option to show all files:
Adds value: "ShowSuperHidden"
With data: "0"
Adds value: "Hidden"
With data: "0"
To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced
Adds value: "CheckedValue"
With data: "0"
To subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvancedFolderHiddenSHOWALL Modifies system firewall policy to allow its copy to access the network:
Adds value: "C:Windowssystem32 smss.exe"
With data: "C:Windowssystem32 smss.exe:*:Enabled:SMS Services"
To subkey: HKLMSYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList
Adds value: "C:Windowssystem32 smss.exe"
With data: "C:Windowssystem32 smss.exe:*:Enabled:SMS Services"
To subkey: HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList Disables DCOM protocol on the system:
Modifies value: "EnableDCOM"
From data: "Y"
To data: "N"
To subkey: HKLMSOFTWAREMicrosoftOle Connects to a remote serverWorm:Win32/Cubspewt.A may connect to a remote server to download certain settings, such as where to download updates to itself. The downloaded settings file is saved in the 'system32 ' subfolder as win.log. Analysis by Jaime WongLast update 07 April 2019
