Home / malwarePDF  

Worm:Win32/Chupik.A


First posted on 09 October 2012.
Source: Microsoft

Aliases :

There are no other names known for Worm:Win32/Chupik.A.

Explanation :



Worm:Win32/Chupik.A is a Visual Basic-compiled worm that propagates via fixed media; for example, a hard disk drive or flash drive. It may also download files, possibly malicious, onto your computer.



Installation

When executed, the worm drops its copy to the following:

  • %windir%\h2s.exe
  • %windir%\nacl.exe
  • %windir%\system\lsass.exe
  • %windir%\userinit.exe


Note that %windir% and is a hard-coded path on the malware.

It then creates and opens a folder in the current directory where the malware has been executed, with a folder using the same name as the executable file.

For example, if the file name of the executable is "Tools.exe" then it will create a folder named "Tools" and open it. It may do this to trick you into thinking that this is just a normal folder, as the malware uses a folder icon.

It makes the following changes to the registry to ensure it runs at each Windows start:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "pikachu"
With data: "C:\WINDOWS\nacl.exe"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Modifies value: "Userinit"
With data: "C:\WINDOWS\system32\userinit.exe,"
To value: "Userinit"
With data: "C:\WINDOWS\userinit.exe"

Spreads via...

Fixed and removable drives

Worm:Win32/Chupik.A drops a copy of itself to any available fixed or removable drive.

On a hard disk drive, the worm enumerates all the drives on the computer except for the root drive (usually C:\).

Once a drive has been found, it will search for all the folders in that drive, and then drop its copy as an executable file with the same name as the folder. It then changes the attributes of the folder to be hidden.

For example, if there is a folder named "Games" in the drive, then the malware will drop its copy as "Game.exe" and so on.

It also places an autorun.inf file in the root directory of the targeted drive. Such autorun.inf files contain execution instructions for the operating system, so that when the network and/or removable drive is accessed from another computer supporting the Autorun feature, the malware is launched automatically. This is particularly common malware behavior, generally utilized in order to spread malware from computer to computer. It should also be noted that autorun.inf files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation CDs.

On a flash drive, Worm:Win32/Chupik.A drops its copy as "h2o.exe" together with an Autorun.inf file, so that the malware will be executed when Autorun is enabled.

Payload

Modifies system settings

Worm:Win32/Chupik.A modifies the affected computer system's settings by making the following changes to the registry:

It disables the system utility Task Manager by making the following registry modification:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "DisableTaskMgr"
With data: "dword:00000001"

It disables registry editing tools by making the following registry modification:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "DisableRegistryTools"
With data: "dword:00000001"

It restricts the use of Microsoft Management Console (MMC) snap-ins.

In subkey: HKCU\Software\Policies\Microsoft\MMC
Sets value: "RestrictToPermittedSnapins"
With data: "dword:00000001"

It disables Command Prompt by making the following registry modification:

In subkey: HKCU\Software\Policies\Microsoft\Windows\System
Sets value: "DisableCMD"
With data: "dword:00000001"

It removes the Folder Options item from all Explorer menus and the Control Panel by making the following registry modification:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
Sets value: "NoFolderOptions"
With data: "dword:00000000"

It removes the "Run" command from the Start menu:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
Sets value: "NoRun"
With data: "dword:00000000"

It overrides the display settings so files with the 'hidden' attribute are not displayed; it does this by making the following registry modification:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "Hidden"
With data: "dword:00000000"

It stops the display of files that have 'system' and 'hidden' attributes by making the following registry modification:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "SuperHidden"
With data: "dword:00000000"

It modifies the 'Show hidden files and folders' options in the 'Folders Options' menu in Windows Explorer by making the following registry modification:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN
Sets value: "CheckedValue"
With data: "dword:00000002"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
Sets value: "CheckedValue"
With data: "dword:00000000"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
Sets value: "CheckedValue"
With data: "dword:00000000"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt
Sets value: "UncheckedValue"
With data: "dword:00000001"

Deletes the following registry entry to prevent you from being able to boot in safe-mode:

In subkey: HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
Sets value: "@"
With data: "DiskDrive"

In subkey: HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
Sets value: "@"
With data: "DiskDrive"

Drops files

Worm:Win32/Chupik.A creates the following shared folder on your computer:

C:\Documents and Settings\Temp

It does this by executing the following command:

"net share "phim_hai_hay=C:\Documents and Settings\Temp""

The worm then drops a copy of itself as the following file:

tuyen_tap_hai_2008.exe

It queries the shared folder list using the following registry key, then drops its file "phim hai cuc hay.exe" to any existing shared folders it finds:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares

Downloads arbitrary files

In the wild, we have observed the worm downloading arbitrary files onto infected computers. We have observed the worm downloading files from the following URLs:

  • cmdcmdcmd.php0h.com/ {file}
  • ewqscxz.fateback.com/ {file}
  • qweszxc.50webs.com/ {file}
  • www11.asphost4free.com/ewqscxz/ {file}
  • www41.websamba.com/aibietdc/ {file}


Where {file} can be any of the following:

  • a.jpg
  • 1.jpg
  • 2.jpg
  • 3.jpg
  • 4.jpg
  • 5.jpg
  • 6.jpg


For example, download links can be:

  • cmdcmdcmd.php0h.com/1.jpg
  • ewqscxz.fateback.com/5.jpg
  • www41.websamba.com/aibietdc/3.jpg


The downloaded files maybe saved and executed on the following paths:

  • c:\windows\system32\link.sys
  • c:\windows\system32\MSINET.OCX
  • c:\windows\system32\MSWINSCK.exe
  • c:\windows\system32\rar.exe
  • c:\windows\system32\svch0st.exe
  • c:\windows\system32\w
  • c:\windows\system32\y
  • c:\windows\temp\per.exe


Terminates processes and deletes files

The worm may terminate processes that contain any of the following strings:

  • avg
  • bhome
  • bit
  • blupro
  • bpro
  • kav
  • nod


Note that these strings are often associated with security-related processes.

It also deletes files with a .GHO file extension, as well as the following files:

  • c:\$Persi0.sys
  • c:\Persi0.sys


Modifies Hosts file

Worm:Win32/Chupik.A modifies the Windows Hosts file. The local Hosts file overrides the DNS resolution of a website URL to a particular IP address. Malware may make modifications to the Hosts file in order to redirect specified URLs to different IP addresses. Malware often modifies your computer's Hosts file in order to stop you from accessing websites associated with particular security-related applications (such as antivirus, for example).

The worm replaces the existing content of the Hosts file with the following content:

  • 127.0.0.1 9down<dot>com
  • 127.0.0.1 bkav.com<dot>vn
  • 127.0.0.1 download.avg<dot>com
  • 127.0.0.1 download.com<dot>vn
  • 127.0.0.1 download.eset<dot>com
  • 127.0.0.1 download.f-secure<dot>com
  • 127.0.0.1 download.softpedia<dot>com
  • 127.0.0.1 download1us.softpedia<dot>com
  • 127.0.0.1 free.avg<dot>com
  • 127.0.0.1 mirror02.gdata<dot>de
  • 127.0.0.1 spftrl.digitalriver<dot>com
  • 127.0.0.1 www<dot>9down.com
  • 127.0.0.1 www<dot>bitdefender.co.uk
  • 127.0.0.1 www<dot>bitdefender.com
  • 127.0.0.1 www<dot>bkav.com.vn
  • 127.0.0.1 www<dot>download.com
  • 127.0.0.1 www<dot>download.com.vn
  • 127.0.0.1 www<dot>grisoft.cz
  • 127.0.0.1 www<dot>kaspersky.com
  • 127.0.0.1 www<dot>symantec.com
Additional information

The following is a list of the contents of the Autorun.inf file:

[AutoRun]
ShElL\OpEn\coMMand = h2o.exe
sheLl\OPeN\DeFaULT=1
SHeLL\ExPLOrE\coMMAnD = h2o.exe
OpEN= h2o.exe
sHELl\AuToplaY\cOMMAnd=h2o.exe



Analysis by Ric Robielos

Last update 09 October 2012

 

TOP

Malware :

Family: