Home / malware W32.Sofacy
First posted on 07 November 2015.
Source: SymantecAliases :
There are no other names known for W32.Sofacy.
Explanation :
When the worm is executed, it creates the following files: %UserProfile%\Local Settings\Temp\temp41.tmp%UserProfile%\Application Data\WindowsUpdate\Live.exe%UserProfile%\Application Data\Windows Live\[RANDOM CHARACTERS]%UserProfile%\Local Settings\Temp\apiSoftCA%UserProfile%\Application Data\Windows Live\debug_cache_dump_2384394.dmp
Next, the worm creates one of the following registry entries so that it executes when Windows starts: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Windows Live Installer" = "%UserProfile%\Application Data\WindowsUpdate\Live.exe"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\"Windows Live Installer" = "%UserProfile%\Application Data\WindowsUpdate\Live.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Windows Live Installer" = "%UserProfile%\Application Data\WindowsUpdate\Live.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\"Windows Live Installer" = "%UserProfile%\Application Data\WindowsUpdate\Live.exe"
The worm then creates the following registry subkey: HKEY_CURRENT_USER\Uazi Soft\UaziVer
Next, the worm adds the extension .gonewiththewings to .exe files stored in the following folders: %UserProfile%\Application Data\Identities%UserProfile%\Application Data\Microsoft\Windows%UserProfile%\Application Data\Microsoft%CommonProgramFiles%\bett2f002%CommonProgramFiles%\CreativeAudio%UserProfile%\Start Menu\Programs\Startup%SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Startup%UserProfile%\Local Settings\Temp%AppData%%UserProfile%
The worm may delete the files with the .gonewiththewings extension.
The worm then ends the following processes: smsniff.exewireshark.exepetools.exeollydbg.exerstrui.exenotepad.exemsiexec.exebfsvc.exehelppane.exehh.exeregedit.exetwunk_16.exetwunk32.exewinhelp.exewinhlp32.exewrite.exereader_sl.exe
Next, the worm connects to the following remote locations: pop.natntbui.rupop.tinyupdates.rupop.connect4.rupop.thelove740.rupop.w8start.rupop.itfutureclub.rupop.vindustry.rupop.consultinginc.rupop.vfukgsuopav.rupop.jwzuyjyk.rupop.xonpqigw.rupop.eebgghfs.rupop.qlmkxqlx.compop.ppohnqab.compop.xbziiasm.compop.jkkjymtb.compop.pjhzure.ru
The worm propagates by copying itself to removable drives. It does this in the following way: Copies itself to %DriveLetter%\[RANDOM CHARACTERS].exe with a hidden attributeHides files and folders, apart from files with the .com, .cmd, .scr, .pif, and .exe extensionsCreates shortcuts to itself using the file names of the hidden files and folders
If the user opens these shortcuts, the threat will execute. The worm also opens the original file or folder to avoid suspicion.Last update 07 November 2015