Home / malware Worm:Win32/Dogkild.A
First posted on 10 July 2009.
Source: SecurityHomeAliases :
There are no other names known for Worm:Win32/Dogkild.A.
Explanation :
Worm:Win32/Dogkild.A is a worm that that spreads via removable drives. It downloads and executes arbitrary files from a remote host. It has been designed to deliberately compromise particular System Restore hardware and software. Note: In the wild this worm has been observed being downloaded and installed onto affected machines by malicious code detected as Exploit:JS/CVE-2008-0015. Exploit:JS/CVE-2008-0015 is detection for code that attempts to exploit a vulnerability in the Microsoft Video ActiveX Control. When a user visits a Web page containing an exploit detected as Exploit:JS/CVE-2008-0015, it may connect to a remote server and download other malware. This vulnerability is discussed in detail in Microsoft Security Advisory (972890).
Symptoms
System changesThe following system changes may indicate the presence of this malware:The presence of the following files:
%windir%func.dll (detected as Worm:Win32/Dogkild.A!dll)
<system folder>func.dll (detected as TrojanDownloader:Win32/Dogkild.N)
<system folder>driverspcidump.sys
Worm:Win32/Dogkild.A is a worm that that spreads via removable drives. It downloads and executes arbitrary files from a remote host. It has been designed to deliberately compromise particular System Restore hardware and software. Note: In the wild this worm has been observed being downloaded and installed onto affected machines by malicious code detected as Exploit:JS/CVE-2008-0015.
Installation
Worm:Win32/Dogkild.A may consist of several components. When executed, it may drop the following files to the affected system:%windir%phpi.dll (detected as Worm:Win32/Dogkild.A!dll) <system folder>func.dll (detected as TrojanDownloader:Win32/Dogkild.N) <system folder>driverspcidump.sys (detected as VirTool:WinNT/Dogrobot.gen!K) Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:WinntSystem32; and for XP and Vista is C:WindowsSystem32. Spreads via…Removable drives Worm:Win32/Dogkild.A spreads via removable drives. It copies itself as 1.exe to the root of all accessible removable drives. Worm:Win32/Dogkild.A then writes an autorun configuration file named 'autorun.inf' pointing to its copy. When the removable or networked drive is accessed from another machine supporting the Autorun feature, the malware is launched automatically.
Payload
Downloads and executes arbitrary filesWorm:Win32/Dogkild.A contacts remote hosts in order to download and execute files of the attacker's choice on the affected machine. In the wild, Worm:Win32/Dogkild.A has been observed contacting the following domain for this purpose:babi2009.com It also posts data regarding the infection to the tongji520.com domain, presumably for statistics gathering purposes. Compromises system restore Win32/Dogkild may overwrite particular system files, thus bypassing the protection offered by System Restore hardware and software as the integrity of restore settings may be lost. The overwritten file may be <system folder>driversgm.dls. Modifies hosts fileWorm:Win32/Dogkild.A may replace the Windows Hosts file. The local Hosts file overrides the DNS resolution of a web site URL to a particular IP address. Malicious software may make modifications to the Hosts file in order to redirect specified URLs to different IP addresses. Malware often modifies an affected machine's hosts file in order to stop users from accessing websites associated with particular security-related applications (such as antivirus for example). Terminates processes
Win32/Dogkild attempts to terminate the following processes - these processes are related to antivirus software:
360Safe.exe
360Safebox.exe
360tray.exe
AgentSvr.exe
antiarp.exe
ANTI-TROJAN.exe
antivir.exe
AUTODOWN.exe
AVKSERV.exe
avp.exe
AVPUPD.exe
AVSCHED32.exe
avsynmgr.exe
AVWIN95.exe
CCenter.exe
CFIAUDIT.exe
CFIND.exe
cfinet.exe
cfinet32.exe
DrRtp.exe
DV95.exe
DV95_O.exe
DVP95.exe
egui.exe
ekrn.exe
JED.exe
Kabackreport.exe
kaccore.exe
Kasmain.exe
kav32.exe
kavstart.exe
kissvc.exe
kmailmon.exe
KPFW32.exe
kpfw32.exe
kpfwsvc.exe
KPPMain.exe
KRF.exe
KVMonXP.exe
KVPreScan.exe
kwatch.exe
KwatchSvc.exe
luall.exe
LUCOMSERVER.exe
mcafee.exe
McNASvc.exe
McProxy.exe
Mcshield.exe
mon.exe
moniker.exe
MOOLIVE.exe
MpfSrv.exe
N32ACAN.exe
navapsvc.exe
navapw32.exe
NAVLU32.exe
NAVNT.exe
navrunr.exe
NAVSCHED.exe
NAVW.exe
NAVW32.exe
navwnt.exe
nod32krn.exe
PCCClient.exe
pccguide.exe
pcciomon.exe
pccmain.exe
pccwin98.exe
PCFWALLICON.exe
PERSFW.exe
pop3trap.exe
PpPpWallRun.exe
program.exe
prot.exe
pview95.exe
QQDoctor.exe
ras.exe
Rav.exe
RAV7.exe
rav7win.exe
RavMon.exe
RavMonD.exe
RavStub.exe
RavTask.exe
rescue32.exe
Rfw.exe
rfwmain.exe
rfwProxy.exe
rfwsrv.exe
rfwstub.exe
Rsaupd.exe
RsMain.exe
rsnetsvr.exe
rssafety.exe
RsTray.exe
safeboxTray.exe
safeweb.exe
scam32.exe
scan.exe
SCAN32.exe
scanfrm.exe
ScanFrm.exe
SCANPM.exe
scon.exe
SCRSCAN.exe
secu.exe
SERV95.exe
sirc32.exe
SMC.exe
smtpsvc.exe
SPHINX.exe
spy.exe
SWEEP95.exe
TBSCAN.exe
TCA.exe
TDS2-98.exe
TDS2-NT.exe
Tmntsrv.exe
TMOAgent.exe
tmproxy.exe
tmupdito.exe
TSC.exe
UlibCfg.exe
vavrunr.exe
VET95.exe
VETTRAY.exe
vir.exe
VPC32.exe
VSECOMR.exe
vshwin32.exe
VSHWIN32.exe
VSSCAN40
vsstat.exe
WEBSCAN.exe
WEBSCANX.exe
webtrap.exe
WFINDV32.exe
wink.exe
zonealarm.exe
ZONEALARM.exe Modifies system security settingsWin32/Dogkild also attempts to disable the following antivirus related services:avp ekrn
Analysis by Chun FengLast update 10 July 2009
