Home / malware Worm:Win32/Racos.A
First posted on 29 November 2011.
Source: SecurityHomeAliases :
There are no other names known for Worm:Win32/Racos.A.
Explanation :
Worm:Win32/Racos.A is a worm that spreads by dropping a copy of itself in every available removable drive.
It can upload files to a remote server.
Top
Worm:Win32/Racos.A is a worm that spreads by dropping a copy of itself in every available removable drive. It can upload files to a remote server.
Installation
Worm:Win32/Racos.A copies itself in the Windows font folder as the hidden file "smss.exe". Note that a legitimate file also named "smss.exe" exists by default in the Windows system folder.
It creates a mutex named "Microsoft smss.exe".
It also modifies the system registry so that it automatically runs every time Windows starts:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "smss"
With data: "smss.exe"
Spreads via...
Removable drives
Worm:Win32/Racos.A copies itself into all removable drives as the file "~$doc.exe". It also drops an Autorun file designed to automatically execute its copy when the drive is accessed and Autorun is enabled.
The file "~$doc.exe" may have the following icon:
Payload
Modifies computer settings
Worm:Win32/Racos.A stops the display of files that have 'system' and 'hidden' attributes by making the following registry modification:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "ShowSuperHidden"
With data: "0"
Uploads files
Worm:Win32/Racos.A has the ability to upload files from the affected computer to the remote server "irra<removed>web.me".
Logs keystrokes
Worm:Win32/Racos.A can log keystrokes on the affected computer.
Analysis by Daniel Chipiristeanu
Last update 29 November 2011
