Home / malwarePDF  

Worm:Win32/Slenping.AE


First posted on 15 October 2010.
Source: SecurityHome

Aliases :

Worm:Win32/Slenping.AE is also known as Trojan.Win32.Jorik.Lolbot.dp (Kaspersky), W32/VBTroj.CYQQ (Norman), Trojan.MulDrop1.45784 (Dr.Web), IM-Worm.Win32.Yahos (Ikarus), Trj/WL-heur.A (Panda), BACKDOOR.Trojan (Symantec), TROJ_JORIK.AA (Trend Micro).

Explanation :

Worm:Win32/Slenping.AE is a worm that can spread via instant messenger programs and removable drives. It also allows a remote attacker backdoor access and control of the infected computer.
Top

Worm:Win32/Slenping.AE is a worm that can spread via instant messenger programs and removable drives. It also allows a remote attacker backdoor access and control of the infected computer. Installation When executed, Worm:Win32/Slenping.AE copies itself to the Public user's Application Data folder as the following:

  • hex-5823-6893-6818\jutched.exe
  • Note that it also creates the folder "hex-5823-6893-6818" within the Application Data folder. Worm:Win32/Slenping.AE modifies the registry to run its copy at each Windows start: In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Sets value: "Java Update Manager" With data: "%AppData%\hex-5823-6893-6818\jutched.exe" It also allows the worm to bypass the firewall by adding the following registry entry: In subkey HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List Sets value: "%AppData%\hex-5823-6893-6818\jutched.exe" with data: "%AppData%\hex-5823-6893-6818\jutched.exe:*:enabled:java update manager" Win32/Slenping.AE creates a mutex called "l0lkn0lltr0ll" to ensure only one copy of itself runs at a time. Spreads Via... Instant messenger programs Worm:Win32/Slenping.AE can be ordered to spread via the following instant messenger programs by a remote attacker using the worm's backdoor functionality (see Payload section below for additional detail):
  • Google Talk
  • MSN Messenger
  • Paltalk
  • Skype
  • XFire
  • Yahoo Messenger
  • When the attacker orders the worm to spread via instant messenger programs, they also provide the content of the messages to be sent. Here are some of the messages sent to contacts depending on the language of the operating system of the infected computer: bekijk deze foto :D <malware URL> bu resmi bakmak :D <malware URL> guardare quest'immagine :D <malware URL> katso tStS kuvaa :D <malware URL> mira esta fotografía :D <malware URL> nTzd meg a kTpet :D <malware URL> olhar para esta foto :D <malware URL> podfvejte se na mou fotku :D <malware URL> pogledaj to slike :D <malware URL> poglej to fotografijo :D <malware URL> pozrite sa na tto fotografiu :D <malware URL> regardez cette photo :D <malware URL> se ps dette bildet :D <malware URL> seen this?? :D <malware URL> ser ps dette billede :D <malware URL> spojrzec na to zdjecie :D <malware URL> This is the funniest photo ever! <malware URL> titta ps denna bild :D <malware URL> uita-te la aceasta fotografie :D <malware URL> Wie findest du das Foto? <malware URL> The worm may use file names such as the following for the copy being spread:
  • DCIM.exe
  • music.exe
  • Nueva carpeta.exe
  • Removable drives Worm:Win32/Slenping.AE copies itself to the following locations on removable drives: <targeted drive>:\8585485\...exe <targeted drive>:\8585485\..exe <targeted drive>:\8585485\subst.exe It may also create the following shortcut files on targeted drives when spreading: <targeted drive>:\..s.lnk <targeted drive>:\.s.lnk <targeted drive>:\substs.lnk If the user clicks on these shortcut files, it runs one of the worm copies in the removable drive. Payload Allows backdoor access and control Worm:Win32/Slenping.AE connects to the remote server "msnsolution.nicaze.net", usually on TCP port 1866, from which it accepts backdoor commands. These include spreading via instant messenger programs and downloading and executing arbitrary files.

    Analysis by Marianne Mallen

    Last update 15 October 2010

     

    TOP