Home / malware Trojan.Pws.Wow.NCY
First posted on 21 November 2011.
Source: BitDefenderAliases :
There are no other names known for Trojan.Pws.Wow.NCY.
Explanation :
The virus is actually a worm and which spreads because of its capability to copy itself to DC++ shared folders under the name of crack/keygen files.
When executed, the virus first tests if the file HOMEPATHUSERNAME.exe exists and if it doesn’t it copies to that location, creates the value HKCUSoftwareMicrosoftWindowsCurrentVersionRunuserName pointing to the file just copied and executes the copied file. If the file form HOMEPATH exitsts but the process doesn’t run form that location it starts enumerating all drives. For each fix drive it finds it searches recursively in maximum 7 folders ignoring the folders “Windows”,”Common Files”,”Application Data”, “Favorites”, “My Documents”, “Local Settings”, “Default User” for the file DCPlusPlus.xml. This file is used to remember the settings for DC++ program like the Nick and Shared Folders. After it finds the file it searches for all shared folders and for each folder it finds it generates 255 copies of the virus. Each copy of the virus will be a combination of one of the strings from the set: :(CRACK) (KEY GEN) (PATCH) (FULL) (crack) (Key Gen) (Patch) and one of the strings from another set that contains 2266 names of well known programs like Adobe Acrobat Reader, 3d Studio, AGE OF EMPIRES, ALIEN vs PREDATOR, FIFA 2006 (SPORTS) 1DVD, FIFA 2007 (SPORT) 1DVD, FLASH (All Versions),etc.
(The list of the programs will not be written here due to its size).
The virus creates a hidden window (named BlackSun) in which creates a webBrowser Object with the title “www.google.com” and a ListBox containing the urls of where another executable will be located. The url-s are:
'Lliantgar.x10hosting.com'
'Kui[hidden]s.elementfx.com'
'Ves[hidden]m.pcriot.com'
'Zeu[hidden]n.exofire.com'
'Ildi[hidden]el.freehostila.com'
'Ghae[hidden]l.awordspace.com'
'Ch[hidden]a.freesitespace.net'
'Onk[hidden]or.myfreewebspace.org'
'Diaw[hidden]y.iifree.net'
'Ga[hidden]ch.runhost.net'
'Lar[hidden]n.x10hosting.com'
'Drui[hidden]d.elementfx.com'
'Myh[hidden]d.pcriot.com'
'Endr[hidden]el.exofire.com'
'So[hidden]el.freehostila.com'
'Etk[hidden]r.awordspace.com'
'Sh[hidden]or.freesitespace.net'
'Qua[hidden]ur.myfreewebspace.org'
'Mor[hidden]n.iifree.net'
'N[hidden]hny.runhost.net'
'En[hidden]r.x10hosting.com'
'Aug[hidden]et.elementfx.com'
'Ll[hidden]sk.pcriot.com'
'En[hidden]a.exofire.com'
'Sm[hidden]g.freehostila.com'
'Tei[hidden]es.myfreewebspace.org'
'Dr[hidden]l.iifree.net'
'Tru[hidden]sk.runhost.net'
'Sw[hidden]el.freesitespace.net'
'Pert[hidden]al.x10hosting.com'
'Lers[hidden]d.elementfx.com'
'Za[hidden]m.pcriot.com'
'T[hidden]n.freehostila.com'
'Ash[hidden]a.awordspace.com'
'[hidden]an.freesitespace.net'
'Hoit[hidden]myfreewebspace.org'
'D[hidden]is.iifree.net'
'Rea[hidden]ad.runhost.net'
'Elmun[hidden]d.x10hosting.com'
'Rakka[hidden]ld.elementfx.com'
'F[hidden]ia.freehostila.com'
'Ne[hidden]ye.awordspace.com'
'Per[hidden]ng.iifree.net'
'Old[hidden]ld.runhost.net'
'Yer[hidden]w.x10hosting.com'
'Wip[hidden]en.elementfx.com'
'Ia[hidden]ay.pcriot.com'
'Yer[hidden]er.myfreewebspace.org'
'Ves[hidden]rm.runhost.net'
'Awi[hidden]h.x10hosting.com'
On every 3 seconds the virus tries to access the file /void.php on each of these web sites using the user agent BlackSun. If the web site still exists and the executable is still present on the website it will be downloaded under the name of HOMEPATHLocal SettingsTempupdate.exe and executed.
USERNAME is the name of the current user
HOMEPATH is the home folder of the user, usually C:Documents and SettingsUSERNAMELast update 21 November 2011
