Home / malwarePDF  

Win32.Donghe.A@mm


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Win32.Donghe.A@mm is also known as N/A.

Explanation :

The virus arrives trough e-mail in the following format:
From: random generated name
Subject: a Chinese string randomly selected from a hard coded list. There is a small chance that in subject will be the following text: just for my father !.
Attachment: Hello.exe or Hello.vbs

When the user opens the attachment the worm will copies itself in System directory with the name exporler.exe. After that it replaces the value Default of the following registry key:
HKLMSOFTWAREClassesexefileshellopencommand
with exporler.exe %1 %*. In this way the worm will be executed every time when an exe file is opened.

The worm tries to send 10 emails at every windows session. It uses 7 hard coded free SMTP servers and the e-mails will always be sent only to the users that have e-mail accounts on those servers. The e-mail addresses are randomly generated from some hard coded strings. At every e-mail sent there is a 50% chance that the worm will send a vbs attachment with it's payload instead the worm itself.

When the user opens the hello.vbs attachment the script creates two copies of itself: %Windows%Win32Dll.vbs and %System%MSKernel.vbs.

It will also add two registry keys:
MSKernel32 with value %System%MSKernel.vbs in
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
and Win32Dll with value %Windows%Win32Dll in
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices

It also changes the startup page with the URL:
http://www.hziee.edu.cn
After that it will search for every file with extension: exe, dll, dat, mp3, doc and it will delete them.

Last update 21 November 2011

 

TOP