Home / malware Worm:Win32/SnowFlake.A
First posted on 29 November 2011.
Source: SecurityHomeAliases :
Worm:Win32/SnowFlake.A is also known as Win32.TrojanSnowFlak (ESET), Trojan.Win32.SnowFlake (Ikarus), TR/SnowFlake.A.a (Avira).
Explanation :
Worm:Win32/SnowFlake.A is a worm that downloads advertising applications. It spreads as an attachment to an email sent out to all contact email addresses found on an affected computer.
Top
Worm:Win32/SnowFlake.A is a worm that downloads advertising applications. It spreads as an attachment to an email sent out to all contact email addresses found on an affected computer.
Installation
Worm:Win32/SnowFlake.A may arrive as an archive file. When run, it displays snowflake graphics on the user's desktop to mislead the user, however, it also decrypts and runs the file time.ini, which it comes bundled with. The snowflake application may change your desktop so that it looks similar to the following:
Once it has run time.ini, it overwrites it with the current system time and then deletes it when the computer is restarted. Worm:Win32/SnowFlake.A looks for the explorer.exe process to write malicious code. It then hooks the CloseHandle API so that when explorer.exe calls this API, the malicious code is triggered.
Spreads via...
Worm:Win32/SnowFlake.A sends an email to all user contacts that contains a copy of this worm as an attached file.
Payload
Downloads advertising applications
Worm:Win32/SnowFlake.A downloads certain applications that may display advertisements.
Additional information
Some samples of Worm:Win32/SnowFlake.A try to detect if certain debugging and malware analysis tools, including the following, are running in the computer:
- Idag
- Softice
- Ollydbg and its variants
- Peid
- Xuetr
- Filemon
- Regmon
Analysis by Jim Wang
Last update 29 November 2011
