Home / malware Win32.Worm.Socks.L
First posted on 21 November 2011.
Source: BitDefenderAliases :
There are no other names known for Win32.Worm.Socks.L.
Explanation :
This virus is using as mutex a file called C:stop to update itself. It has the capacity to detect if it's running on virtual machine and it copies itself in two different places: %system%/drivers/spools.exe,%userprofile%/ctfmon.exe.
Just when it starts running it deletes the file(C:stop) and tests if is an instance of one of those two standard locations. If not, it creates the file(C:stop), writing in it one byte and, at this particular moment, if any older version is running, that version shall be stopped; it deletes spools.exe and ctfmon.exe because they could be from an older version. It copies itself in those standard locations and after that it deletes C:stop.
The virus is supposed to be executed when any exe file is executed, so, if it is this case, will use WinExec to launch that exe application. It uses CreateFileMappingA with an argument named "a3r3" as mutex too. If that object does not already exist and if GetLastError() from CreateFileMappingA is ERROR_ACCESS_DENIED it executes a copy of itself: %USERPROFILE%/ctfmon.exe and exits. Else if it is being created without ERROR_ACCESS_DENIED two main threads will be executed. The first one just tests if C:stop exists exiting the process when that file will be available. That will be the case when the new version will be installed. The second thread is more complicated. It generates a unique string for host computer using the path to %system% folder, computer name, and VolumeSerialNumber of SystemDrive.
For Autorun:
-sets the registry values to be executed when system starts
and when any exe file is started:
adds the values:
"ntuser" = %system%driversspools.exe
"autoload" = %userprofile%ctfmon.exe
under the key: HKLMSoftwareMicrosoftWindowsCurrentVersionRun
modifies the value:
"ImagePath" = %system%driversspools.exe
under the key: HKLMSYSTEMCurrentControlSetServicesSchedule
to register itself ar a service
modifies the value:
"HKCRexefileshellopencommand(Default)" =
"%userprofile%ctfmon.exe "%1" %*"
so that ctfmon.exe is run when files with extension of EXE are opened/launched
-in some versions modifies userinit.exe replacing "Winlogon" with "Terminal" and copies registry keys from
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon
to HKLMSOFTWAREMicrosoftWindows NTCurrentVersionTerminal
For Download:
-each version has a number from one to three different URLS ( C&C )
-it searches in data returned from each url for "<form method=" to see if that URL is a valid one
-it is possible to use this test to get rid of an automated analysis of traffic
-when it finds a valid one it concatenates it with manda.php and makes a request with InternetReadFile.The received data has the following template: URL|id (eg.: http://xxxxxx.org/file.exe|177)
-this exe will be downloaded to a random tmp file and executed, an acknowledge request will be sent to C&C with job-id (eg.: http://xxxx.info/manda.php?id=UNIQUE_COMPUTER_ID&l=JOB-ID&v=BOT_VERSION )
-if the URL to exe file does not contain "ggg" clean routine will not start
-downloaded files are random malware
Clean Routine:
-it searches in %system%drivers for a file of size 27008
-if it finds it, it will stop its service, remove it and delete the file
-probably is a driver from Trojan.Kobcka that can't be found by name because it has a random name
-stops and removes grade48 service
-removes from registry traces of that driver of 27008 size
-deletes grande48.sys from %system%drivers (grande48.sys is related to Trojan.Srizbi)
-deletes %system%/WLCtrl32.dll related to kobckaLast update 21 November 2011