Home / malware W32.Tempedreve
First posted on 03 January 2015.
Source: SymantecAliases :
There are no other names known for W32.Tempedreve.
Explanation :
When the worm is executed, it creates the following files: %UserProfile%\Application Data\[RANDOM FOLDER NAME]\[RANDOM FILE NAME].exe%Windir%\System32\[RANDOM FILE NAME].exe%DriveLetter%\Temp.exe%DriveLetter%\Temp.exe%UserProfile%\Local Settings\Temp\~[RANDOM FILE NAME].tmp
The worm then drops the following file, which may contain a fake invoice document: %UserProfile%\Local Settings\Temp\~[RANDOM FILE NAME].tmp.pdf
The worm then creates the following registry entries: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\[RANDOM KEY NAME]\Security\"Security" = "[BINARY DATA]"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\[RANDOM KEY NAME]\"Type" = "[BINARY DATA]"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\[RANDOM KEY NAME]\"Start" = "[BINARY DATA]"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\[RANDOM KEY NAME]\"ObjectName" = "LocalSystem"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\[RANDOM KEY NAME]\"ImagePath" = "expand:[PATH TO MALWARE] -s"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\[RANDOM KEY NAME]\"FailureActions" = "[BINARY DATA]"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\[RANDOM KEY NAME]\"ErrorControl" = "[BINARY DATA]"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\[RANDOM KEY NAME]\"DisplayName" = "[RANDOM KEY NAME]"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\[RANDOM KEY NAME]\"Description" = "[RANDOM KEY NAME]"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\[RANDOM KEY NAME]\"DependOnService" = "RPCSS\00\00"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\[RANDOM KEY NAME]\"DependOnGroup" = "\00"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_[RANDOM KEY NAME]\0000\"Service" = "[RANDOM KEY NAME]"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_[RANDOM KEY NAME]\0000\"Legacy" = "[BINARY DATA]"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_[RANDOM KEY NAME]\0000\"DeviceDesc" = "[RANDOM KEY NAME]"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_[RANDOM KEY NAME]\0000\"ConfigFlags" = "[BINARY DATA]"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_[RANDOM KEY NAME]\0000\"ClassGUID" = "[CLSID KEY]"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_[RANDOM KEY NAME]\0000\"Class" = "LegacyDriver"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_[RANDOM KEY NAME]\"NextInstance" = "[BINARY DATA]"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM KEY NAME]" = "[PATH TO MALWARE]"
Next, the worm connects to the following remote locations: http://[RANDOM DOMAIN]/pki/mscorp/crl/MSIT%20Machine%20Auth%20CA%202(1).crlhttp://[RANDOM DOMAIN]/pki/mscorp/crl/msitwww2.crl
The worm may then spread through removable and network drives.Last update 03 January 2015