Home / malwarePDF  

Worm:Win32/Pykspa.C


First posted on 09 April 2010.
Source: SecurityHome

Aliases :

Worm:Win32/Pykspa.C is also known as Trojan.Win32.Vilsel.piv (Kaspersky), W32/Pykse.A (Norman), BackDoor.Hackdoor.P (AVG), Win32/AutoRun.Agent.TG (ESET), W32/Pykse.worm (McAfee), W32.Pykspa.D (Trend Micro).

Explanation :

Worm:Win32/Pykspa.C is a worm that spreads via Skype messaging, Twitter, mapped drives and network shares. It contains a backdoor that allows it to execute arbitrary commands from a remote attacker.
Top

Worm:Win32/Pykspa.C is a worm that spreads via Skype messaging, Twitter, mapped drives and network shares. It contains a backdoor that allows it to execute arbitrary commands from a remote attacker.

Installation
Worm:Win32/Pykspa.C is typically installed to the %temp% folder by other malware, such as TrojanDropper:Win32/Pykspa.A. When run, it creates a hidden system folder at %temp%\ (for example %temp%\symchskoblw). It makes a number of copies of itself (which may have random data appended) in the temp folder with pseudo-random file names (for example lmvggm.exe). It may also change its icon to one copied from a random executable selected from the %ProgramFiles% folder. If the system is currently in safe mode, it forces a reboot. Depending on how it was launched, it may show a Windows Explorer window, displaying the contents of the folder that it was opened from. It creates a number of registry entries intended to ensure that its various copies are launched upon system startup. These also use pseudo-random values. For example: Under key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adds value: "owmelysynzmxt" (14 chars)
With data: "ymigtmmytlevxpucuoq.exe" (16-22 chars) Adds value: "ymigtmmytlevxpucuoq"
With data: "%temp%\navsewvgarjzarvctm.exe" Under key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Adds value: "pypiqezgwjxjgt"
With data: "ymigtmmytlevxpucuoq.exe ." Adds value: "navsewvgarjzarvctm" With data: "xibwgwtcujznmbdi.exe ." Under key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run Adds value: "scuoxmiqhvkxvjk" With data: "xibwgwtcujznmbdi.exe" Adds value: "pwlciunsgrdn" With data: "%temp%\aqoodyaolfatxryicycve.exe" Under key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Adds value: "xibwgwtcujznmbdi" With data: "laxwkefsohbtwpvexsvn.exe" Adds value: "owmelysynzmxt" With data: "%temp%\ navsewvgarjzarvctm.exe" Under key: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce Adds value: "eqkgrigqjzqffvyeu" With data: "xibwgwtcujznmbdi.exe ." Adds value: "pypiqezgwjxjgt" With data: "%temp%\ xibwgwtcujznmbdi.exe ." It writes files with encrypted configuration information to the following folders:

  • %system%
  • %ProgramFiles%
  • %appdata%
  • %Temp%
  • These files also have pseudo-random file names, including their extension (e.g. nzszlzrfrylzvnnzszlzrfrylzvnnzszlzr.ryl or efnjknuxyuwzkrghplmpwzaw.bmt) Spreads via€¦ Mapped drives If commanded to do so, the malware enumerates all mapped drives attached to the system and attempts to copy itself to the root folder of the drive with a pseudo-random file name with a .bat extension (e.g. owmelysynzmxt.bat). It also places an autorun.inf file in the root folder pointing to the worm copy. When the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically. Network shares If the WinRAR compression utility is installed on the system, the malware searches the user€™s My Documents folder for files with the following extensions: .doc .jpg
    .jpeg
    .rtf
    .gif
    .ppt
    .xls
    .bmp
    .3gp .txt Once it has found four of these files, it uses rar.exe to create a compressed archive containing the four files, as well as a copy of itself with one of the following file names with an .exe extension: Sample Music
    My Music
    Sample Pictures
    My Pictures
    Intel 32
    Blank Bkgrd
    Citrus Punch Bkgrd
    Clear Day Bkgrd
    Fiesta Bkgrd
    Glacier Bkgrd
    Leaves Bkgrd
    Maize Bkgrd
    Nature Bkgrd
    Network Blitx Bkgrd
    Pie Charts Bkgrd If commanded to do so, the malware attempts to connect via port 445 to other systems on the network and enumerate their available network shares. If any are found, it copies the archive to these shares. Skype messaging
    If commanded to do so and Skype is installed, the malware attempts to send one of the following messages to the user€™s contacts, as well as a URL for a copy of itself being served from the local machine (see Payload section below for additional detail). Note that %s may indicate another of the messages below, or other data retrieved from the user€™s Skype configuration. Hello
    hi
    how are you
    hello again
    you skype version is old
    what are you?
    from where are you?
    what are you doing in my contacts?
    as I said %s
    so %s
    %s :D
    look %s
    here %s
    so what do you think?
    what is in that link on your skype?
    do you have camera on skype?
    is it really your web site?
    what do you think about that?
    what is there?
    pudge women ;)
    piece of shit now everyone know ;)
    idiot what are you doing
    crazy bitch
    why dont you speak
    I saw you photo. I would like to speak with you
    I saw you last week. I would like to speak with you
    I watching you long time. I would like to speak with you
    %s I know what you did
    %s :D :D :D idiot name
    i lost my job.. i am idiot.. i want to die..
    (beer) ?
    nice ass :* muhahahaaahaha
    little boy :]]]] I know about your little problem :D
    gay :D
    what new?
    what the f**k is that ?
    bad news
    dude
    bitch
    niger
    impotent It checks the user interface language defined in the user€™s Skype configuration, and if this language is one from the list below, it instead uses a translated equivalent of the above messages. English
    German
    Russian
    Romanian
    Danish
    Polish
    Italian
    Latvian
    French
    Gaelic
    Slovakian
    Lithuanian
    Spanish
    Norwegian
    Estonian
    Swedish
    Czech Twitter If commanded to do so, the malware searches for windows with €œTwitter€ in their title. If a window is found, the malware pastes messages into the window€™s input box, and sends these messages. Payload Allows backdoor access and control The malware connects to a remote server which may respond with a command for it to execute. Possible commands may include:
  • Spread via mapped drives
  • Spread via network shares
  • Spread via Skype messaging
  • Spread via Twitter
  • Download and execute arbitrary files
  • Execute an existing file
  • Steal information
  • Change port of local webserver
  • Sleep
  • Terminate processes
  • Delete files
  • Stop running
  • Shut down Windows
  • Modify the registry
  • Place data in clipboard
  • Modify the hosts file
  • Runs Web server The malware runs a Web server on the affected system, which allows it to serve copies of the malware or other files to users that follow the links in messages that the malware sends to them. The port used by the server is randomly chosen between 13000 and 63000, and may also be configured to a particular value by the backdoor€™s controller. Steals information The malware may query the user€™s Skype configuration in order to obtain their personal information, or the personal information of their contacts. This information might include:
  • Full names
  • Gender and date of birth
  • Addresses and phone number
  • Online status
  • Skype account balance
  • Skype capabilities (for example, voicemail, video)
  • Skype mood text
  • Chat history
  • Deletes System Restore points The malware attempts to prevent the user from being able to restore their system to an earlier state by attempting to delete the entire contents of the €œ\System Volume Information€ folder on the C:\ drive, and any other drives where it might be present. Modifies security settings The malware makes a number of registry modifications in order to lower security settings: Disable User Account Control:
    Under key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    Sets value: "EnableLUA" With data: 0 Disables registry tools: Under keys: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System Sets value: "DisableRegistryTools" With data: 1 Changes various system policies: Under key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    Sets value: "ConsentPromptBehaviorAdmin"
    With data: 0 Sets value: "ConsentPromptBehaviorUser"
    With data: 0 Sets value: "EnableInstallerDetection"
    With data: 0 Sets value: "EnableSecureUIAPaths"
    With data: 0 Sets value: "EnableVirtualization"
    With data: 0 Sets value: "PromptOnSecureDesktop"
    With data: 0 Sets value: "ValidateAdminCodeSignatures"
    With data: 0 Sets value: "FilterAdministratorToken"
    With data: 0 Disables Autorun for drive A: Under keys: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Sets value: "NoDriveTypeAutoRun"
    With data: 1 Under key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL Sets value: "CheckedValue"
    With data: 145 Disables certain Security Center settings: Under key: HKLM\SOFTWARE\Microsoft\Windows\Security Center Sets value: "AntiVirusOverride" With data: 1 Sets value: "FirewallOverride"
    With data: 1
    S ets value: "UacDisableNotify"
    With data: 1
    Sets value: "AntiVirusDisableNotify"
    With data: 1
    Sets value: "FirewallDisableNotify"
    With data: 1
    Sets value: "UpdatesDisableNotify"
    With data: 1 Prevents Windows Defender from running upon system startup: Under key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    Deletes value: "Windows Defender" Prevents Windows Security Center from displaying alerts if the firewall or other security programs are disabled: Under key: HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjects
    Deletes subkey: {FD6905CE-952F-41F1-9A6F-135D9C6622CC} Removes the list of services to be started if the computer is started in safe mode: Under key: HKLM\SYSTEM\CurrentControlSet\Control Deletes subkey: SafeBoot Stops and disables services The malware attempts to stop and disable the following services: TrustedInstaller
    MpsSvc
    wscsvc
    SharedAccess
    WinDefend
    Wuauserv
    BITS
    ERSvc
    WerSvc
    Closes windows The malware may attempt to close any windows which have any of the following strings in their title text: Regedit
    Spyware
    Rstrui
    Procmon
    Regmon
    Eset
    Procexp
    IceSword
    Sysclean
    dr. web
    dr.web
    esetsmart
    soft security e
    internet security
    Restauration du sy
    trend micro
    Sistemos atk
    Antivir
    Sysinternals
    Registry
    NetTools
    Zonealarm
    Firewall
    avg
    computer management
    virus
    worm
    system configuration
    Hiajck
    Hijack
    security center
    system restore
    antivirus
    antianti
    Process Ex
    Process Ha Blocks access to Web sites
    The malware may attempt to block access to Web sites whose addresses contain the following strings: ahnlab
    arcabit
    avast
    avg.
    avira
    avp.
    bit9.
    castlecops
    centralcommand
    cert.
    clamav
    tcpview
    comodo
    computerassociates
    cpsecure
    defender
    drweb
    emsisoft
    esafe
    eset €“
    etrust
    ewido
    f-prot
    f-secure
    fortinet
    gdata
    grisoft hacksoft
    hauri
    ikarus
    jotti
    k7computing
    Kaspersky
    Malware
    mcafee
    networkassociates
    nod32
    norman
    norton
    panda
    pctools
    prevx
    quickheal
    rising
    rootkit
    sans.
    securecomputing
    sophos
    spamhaus
    spyware
    sunbelt
    symantec
    threatexpert
    trendmicro
    vet.
    Virus
    Wilderssecurity
    windowsupdate Additional information The malware has been observed to be installed by a dropper such as TrojanDropper:Win32/Pykspa.A. This dropper also installs a component which attempts to uninstall assorted security software from the system. This component may be detected as Trojan:Win32/Killav.DR. The malware may connect to one of the following servers in an attempt to determine the IP address of the system it is installed in:
  • www.showmyipaddress.com
  • whatismyipaddress.com
  • whatismyip.ca
  • whatismyip.everdot.org
  • The malware contacts a commonly used Web server, randomly chosen from the list below, and uses information from the returned HTTP header to determine the current date and time. These sites include: ebay.com
    baidu.com
    imdb.com
    bbc.co.uk
    adobe.com
    blogger.com
    wikipedia.org
    yahoo.com
    youtube.com
    myspace.com
    facebook.com
    google.com

    Analysis by David Wood

    Last update 09 April 2010

     

    TOP