Home / malwarePDF  

Worm:Win32/Rotrumas.A


First posted on 01 December 2012.
Source: Microsoft

Aliases :

Worm:Win32/Rotrumas.A is also known as Trojan/Win32.Xema (AhnLab), Win32.HLLW.Kati (Dr.Web), Win32/VB.NNJ worm (ESET), Worm.Win32.VB.ig (Kaspersky), W32/YahLover.worm.gen (McAfee), Worm.Win32.VobfusEx.e (Rising AV).

Explanation :



Worm:Win32/Rotrumas.A is a worm that spreads via removable drives. It may also replace found picture files with its own picture and may remove contents of document files.



Installation

Worm:Win32/Rotrumas.A drops copies of itself as the following:

  • <system folder>\deter177\?ht?msys19.exe
  • <system folder>\deter177\ctfmon.exe
  • <system folder>\deter177\lsass.exe
  • <system folder>\deter177\smss.exe
  • <system folder>\deter177\sv?h?st.exe


Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is "C:\WinNT\System32"; and for XP, Vista, 7, and W8 it is "C:\Windows\System32".

Note that some of the letters used in the file names are in the Cyrillic alphabet and may not show on your computer correctly.

Each of these files uses the folder icon in an attempt to fool you into thinking that it's a folder, for example:



Worm:Win32/Rotrumas.A creates the following registry entries so that its copies automatically run every time Windows starts:

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Shell"
With data: "explorer.exe <system folder>\?ht?msys19.exe"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "lsass"
With data: "<system folder>\deter177\lsass.exe"

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "?ht?msys19.exe"
With data: "<system folder>\ctfmon.exe"

Worm:Win32/Rotrumas.A may search for windows with any of the following titles. If found, Worm:Win32/Rotrumas.A stops itself from running, as it assumes these windows refer to antivirus programs:

  • Agnitum Outpost Firewall - configuration.cfg
  • AVP.MainWindow
  • AVP.MessageDialog
  • AVP.Product_Notification
  • AVP.ReportWindow
  • AVP.SettingsWindow
  • NOD32 2.5 Control Center
Spreads via...

Removable drives

Worm:Win32/Rotrumas.A searches your computer for removable drives. If found, it drops a copy of itself with the name "CDROM.exe" in the root folder of the drive. It also creates a file named "Autorun.inf" to automatically run its copy when the drive is accessed and if Autorun is enabled.



Payload

Changes file and folder display settings

Worm:Win32/Rotrumas.A changes certain settings in the way that files and folders are displayed in Windows Explorer:

Removes the Folder Options menu item from the Tools menu:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer
Sets value: "NoFolderOptions"
With data: "1"

Displays hidden files and folders:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "Hidden"
With data: "0"

Hides file extensions:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "HideFileExt"
With data: "1"

Steals information

Worm:Win32/Rotrumas.A steals email addresses from your computer. It stores this information in a file named "psador18.dll", and is sent to an email address also specified in this file.

Replaces images files and deletes document files

Worm:Win32/Rotrumas.A searches for image files with the extensions .JPEG and .JPG. It replaces these files with its own image, as shown in the following example:



It also searches for documents with the extensions .DOC and .XLS. If found, it deletes the contents of these files.



Analysis by Elda Dimakiling

Last update 01 December 2012

 

TOP