Home / malwarePDF  

Worm:Win32/Mogoogwi.A


First posted on 11 March 2015.
Source: Microsoft

Aliases :

There are no other names known for Worm:Win32/Mogoogwi.A.

Explanation :

Threat behavior

Installation

This threat installs itself to the following locations:

  • C:\GoogleChrome\GoogleChrome.exe
  • C:\MozillaFirefox\GoogleChrome.exe


It can also install the following files in any directory on your PC:

  • GoogleUpdate.lnk
  • MozillaFirefox.lnk
  • My Music.lnk
  • .lnk
  • WindowsUpdate.lnk


It changes the following registry entry so that the LNK files run each time you start your PC:

In subkey: "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
Sets value: "JavaUpdate"
With data: "\GoogleUpdate.lnk", for example "C:\GoogleChrome\\GoogleUpdate.lnk"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "AdopeUpdate"
With data: "\GoogleUpdate.lnk", for example "C:\GoogleChrome\\GoogleUpdate.lnk"

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "NewJavaInstall"
With data: "", for example "GoogleChrome.exe"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "AdopeFlash"
With data: "", for example "GoogleChrome.exe"

We have also seen the following malware installed at the same time as this worm:

  • Trojan:MSIL/Mogoogwi.A
  • Trojan:VBS/Mogoogwi.A


These threats are used to register the malicious LNK files in the registry.

Spreads through

Removable drives

This worm copies itself to the root folder of any removable drives connected to your PC, such as USB flash drives.

It also creates a shortcut LNK file pointing to the worm copy on the removable drive.

Payload

Receives commands from a malicious hacker

This worm tires to connect to the following command and control server to receive commands from a malicious hacker:

  • dmad.info


Once connected it can be instructed to:

  • Download and upload files and run them on your PC, including other malware.
  • Uninstall itself to avoid analysis.


It also sends the following information about your PC to the server:

  • Your operating system version and architecture
  • Your PC name
  • Your user name
  • Your security software details


Modifies your firewall settings

This worm can add or remove applications from your firewall exception list.



Analysis by Zarestel Ferrer

Symptoms

The following can indicate that you have this threat on your PC:

  • You have these files:

    C:\GoogleChrome\GoogleChrome.exe
    C:\MozillaFirefox\GoogleChrome.exe
    GoogleUpdate.lnk
    MozillaFirefox.lnk
    My Music.lnk
    WindowsUpdate.lnk
  • You see these entries or keys in your registry:

    In subkey: "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
    Sets value: "JavaUpdate"
    With data: "\GoogleUpdate.lnk", for example "C:\GoogleChrome\\GoogleUpdate.lnk"

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "AdopeUpdate"
    With data: "\GoogleUpdate.lnk", for example "C:\GoogleChrome\\GoogleUpdate.lnk"

    In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "NewJavaInstall"
    With data: "", for example "GoogleChrome.exe"

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "AdopeFlash"
    With data: "", for example "GoogleChrome.exe"

Last update 11 March 2015

 

TOP

Malware :

Family: