When the worm executes, it disables system file protection for and then copies itself as the following file:
C:\Program Files\Internet Explorer\iexplore.exe
It then copies C:\Program Files\Internet Explorer\iexplore.exe to the following folder:
C:\WINDOWS\system32\dllcache
The worm then creates the following files:
- %System%\dllcache\svchost.exe:svchost.exe
- %System%\svchost.exe:svchost.exe
- %Windir%\lsass.exe
- C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
- C:\Program Files\Symantec\LiveUpdate\LUALL.EXE
- C:\Program Files\McAfee.com\Agent\mcupdate.exe
Next, the worm creates the following registry entries so that it executes whenever Windows starts:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"SvcHost" = "C:\WINDOWS\system32\svchost.exe:svchost.exe"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\"[WORM FILE NAME]" = "[WORM FILE NAME]:*:enabled:@xpsp2res.dll,-22019"
The worm registers itself as a service with the following characteristics:
Service Name: SvcHost
Display Name: SvcHost
Description: Generic Host Process for Win32 Services. If this service is disabled, any services that explicitly depend on it will fail to start.
Image Path: C:\WINDOWS\system32\svchost.exe:svchost.exe
It attempts to run itself as the following services:
- Automatic LiveUpdate Scheduler
- LiveUpdate
The worm attempts to modify the binary files of the srservice wuauserv service with the following file so that it starts when the srservice wuaserv service is run:
C:\WINDOWS\system32\svchost.exe:svchost.exe
The worm drops the following components:
- c:\zyxwvuts.log
- %System%\msfsr.sys, which is 4,096 bytes in length
- %System%\drivers\[SIX RANDOM LOWER CASE LETTERS].sys, which is 6,144 bytes in length
It attempts to run %System%\msfsr.sys as a service with the following characteristics:
Service Name: msfsr
Display Name: msfsr
The worm then ends processes that contain the following strings by using the "NET STOP" command:
- Browser
- lanmanserver
- McShield
- navapsvc
- sharedaccess
- SymAppCore
- wscsvc
The worm attempts to modify the file system.ini so that it runs when Windows starts.
It connects to the following IRC server and waits for commands from a remote attacker:
www.mi5.gov.uk
The worm then exploits the Microsoft Windows LSASS Buffer Overrun Vulnerability (BID 10108) using TCP port 139.
The worm gathers the current user's SMTP information from the registry. It also gathers email addresses from the Windows Address book and email addresses from files whose extension is one of the following in the above mentioned folders on drives C to Y, if the drive is a fixed drive or RAM drive:
- .adb
- .adr
- .asp
- .bag
- .bcm
- .bcn
- .bgt
- .bib
- .blt
- .brk
- .btr
- .btx
- .cat
- .cdm
- .cgi
- .clb
- .css
- .csv
- .dht
- .dld
- .doc
- .dvc
- .edb
- .eml
- .gam
- .gdb
- .gup
- .ht
- .iaf
- .imb
- .imc
- .jav
- .ldb
- .log
- .map
- .mht
- .mlm
- .mmf
- .na2
- .nsf
- .nws
- .oft
- .pab
- .pdf
- .php
- .ply
- .pmx
- .pop
- .pst
- .rtf
- .sht
- .smd
- .snm
- .sql
- .tbb
- .tex
- .txt
- .uin
- .vbc
- .vbs
- .vcf
- .wab
- .wsh
- .xml
- .xsl
The email has the following characteristics:
From: [SPOOFED].
One of the following:
- updates@McAfee.com
- updates@Microsoft.com
- updates@Symantec.com
- [CURRENT USER'S EMAIL ADDRESS]
- [RANDOM NAME]@aol.com
- [RANDOM NAME]@msn.com
- [RANDOM NAME]@yahoo.com
- [RANDOM NAME]@hotmail.com
Attachment:
One of the following:
- Alien vs. Predator 2
- Angelina Jolie
- Assassin
- Auto Assault
- BioShock
- Britney Spears
- CSI: London
- Carmen Electra
- Command & Conquer 3: Tiberium Wars
- Crysis
- Dragonball
- Dungeons & Dragons Online: Stormreach
- Enemy Territory: Quake Wars
- Extreme Ghouls n' Ghosts
- Final Fantasy XIII
- Full Auto
- Full Auto 2: Battlelines
- Ghost Recon: Advanced Warfighter
- Ghost Rider
- Grey's Anatomy - next season
- Half-Life 2: Aftermath
- Halo 3
- Hellgate: London
- Heroes season 2
- Hilary Duff
- Huxley
- Indiana Jones 4
- Jennifer Lopez
- Jericho season 2
- Jessica Alba
- Jessica Simpson
- Killzone PS3
- Live Free or Die Hard
- Lost season 4
- Metal Gear: Subsistence
- Neverwinter Nights 2
- Pamela Anderson
- Paris Hilton
- Premonition
- Prey
- Pursuit Force
- Rainbow Six: Vegas
- Resident Evil 3
- Resident Evil 5
- Resistance: Fall of Man
- Rush Hour 3
- Shark season 2
- Six Degrees season 2
- Smith season 2
- Spider-Man 3
- Splinter Cell: Double Agent
- Spore
- Star Trek: Legacy
- Star Wars: Empire at War
- Starcraft: Ghost
- Studio 60 on the Sunset Strip season 2
- Tekken
- Terminator 4
- The Hills Have Eyes II
- Unreal Tournament 2007
- Virtua Fighter 5
- Warhammer Online Age Of Reckoning
- attachment
- casino
- details
- document
- gaming
- hiddensite
- instructions
- letter
- mail
- message
- msg
- myspace
- myspacedetails
- onlinecasino
- onlinegaming
- onlinepoker
- poker
- pokerstrategy
- pokertechnique
- readme
- Assassins Creed
- text
- transcript
- your SSN etc
- your bank account details
- your financial details
- your financial information
- your personal details
- your personal information
- your tax returns
- yourhiddensite
- yourmyspacedetails
- yoursite
- yourwebsite
- yousite
Followed by one of the following extensions:
The attachment can also be a combination of some of the following strings:
- [BLANK]
- flickr-you
- free mix
- tune you
- .gif
- .html
- .jpeg
- .mp3
- .rtf
- .txt
- .wma
Note: The attachment may have double extensions.
The worm attempts to copy itself to any folder whose name contains one of the following on drives C to Y, if the drive is a fixed drive or RAM drive:
- BearShare
- Collections
- Downloads
- my shared folder
- share
- shared
- upload
- uploads
The file name may be any of the following:
- Age of Conan-Hyborian Adventures
- Assassin??s Creed
- BioShock
- Command & Conquer 3-Tiberium Wars
- Company of Heroes
- Crysis
- Desperados 2-Cooper's Revenge
- Dragon Age
- Dreamfall-The Longest Journey
- Dungeons & Dragons Online-Stormreach
- Elder Scrolls IV-Oblivion
- Enemy Territory-Quake Wars
- Final Fantasy XIII
- Final Fantasy XIV
- Full Auto 2-Battlelines
- Gears of War
- Ghost Recon-Advanced Warfighter
- Gran Turismo HD
- Grand Theft Auto IV
- Guild Wars-Factions
- Half-Life 2-Aftermath
- Hellgate-London
- Heroes of Might & Magic V
- Killzone PS3
- Kingdom Hearts 2
- Metal Gear-Subsistence
- Metroid Prime Hunters
- Neverwinter Nights 2
- Okami
- Prey
- Rainbow Six-Vegas
- Red Steel
- Resident Evil 5
- Resistance-Fall of Man
- Rise of Nations-Rise of Legends
- S.T.A.L.K.E.R.-Shadow of Chernobyl
- Splinter Cell Essentials
- Splinter Cell-Double Agent
- Spore
- Star Trek-Legacy
- Star Wars-Empire at War
- Starcraft-Ghost
- Supreme Commander
- The Lord of the Rings-The Battle for Middle-earth II
- Too Human
- Unreal Tournament 2007
- Vanguard Saga of Heros
- Virtua Fighter 5
- Vista
- Vista Ultimate
- Warhammer Online Age Of Reckoning
- World of Warcraft-The Burning Crusade
Followed by one of the following strings,
- - Full.exe
- - Keygen.exe
- .iso.exe
- .zip.exe
The file name may also be any of the following:
- 10,000 B.C.
- 1408
- 28 Weeks Later
- 30 Days of Night
- 30 Rock season 2
- 300
- Across the Universe
- Alien vs. Predator 2
- Alpha Dog
- American Gangster
- Angel-A
- Angelina Jolie
- Angelina Jolie(unseen)
- Are We Done Yet?
- Atonement
- August Rush
- Balls of Fury
- Because I Said So
- Beowulf
- Black Book
- Blades of Glory
- Breach
- Britney Spears
- Britney Spears(unseen)
- Brother & Sisters season 2
- CSI-London"
- Captivity
- Carmen Electra
- Carmen Electra(unseen)
- Criminal Minds - next season
- Dallas
- Dancing with the Stars - next season
- Death at a Funeral
- Delta Farce
- Desperate Housewives - next season
- Disturbia
- Dragonball
- Eastern Promises
- El Cantante
- Enchanted
- Epic Movie
- Evening
- Fantastic Four 2
- Firehouse Dog
- Fly Me to the Moon
- Foodfight!
- Fracture
- Fragile
- Freedom Writers
- Full of It
- GhostRider
- Gilmore Girls season 8
- God Grew Tired of Us
- Grey's Anatomy - next season
- Grind House
- Hairspray
- Halloween
- Halo
- Hannibal Rising
- Heroes season 2
- Hilary Duff
- Hilary Duff(unseen)
- His Dark Materials-The Golden Compass
- Horton Hears a Who
- Hostel 2
- Hot Fuzz
- Hot Rod
- In the Land of Women
- Inkheart
- Iron Man
- Jennifer Lopez
- Jennifer Lopez(unseen)
- Jericho season 2
- Jessica Alba
- Jessica Alba(unseen)
- Jessica Simpson
- Jessica Simpson(unseen)
- Journey 3-D
- Jumper
- Kidnapped season 2
- Kung Fu Panda
- La Vie en Rose
- Live Free or Die Hard
- Lost season 4
- Lucky You
- Lust, Caution
- Master of Time and Space
- Next
- No Reservations
- Ocean's Thirteen
- Offside
- Opus-The Last Christmas
- Pamela Anderson
- Pamela Anderson(unseen)
- Paris Hilton
- Paris Hilton(unseen)
- Pathfinder
- Perfect Stranger
- Premonition
- Pride
- Pride & Glory
- Prison Break season 3
- Prom Night (2007)
- Reservation Road
- Resident Evil 3
- Rocket Science
- Rogue
- Romeo & Juliet-Sealed with a Kiss
- Rush Hour 3
- Scrubs - next season
- Seven Day Itch
- Severance
- Shark season 2
- Shoot 'Em Up
- Shooter
- Silk
- Six Degrees season 2
- Skinwalkers
- Slow Burn
- Smith season 2
- Smokin' Aces
- South Park season 11
- Southland Tales
- Spider-Man 3
- Spring Breakdown
- Standoff season 2
- Stardust
- Stomp the Yard
- Strange Wilderness
- Strangers
- Studio 60 on the Sunset Strip season 2
- Sunshine
- Super Bad
- Surf's Up
- Talk to Me
- Terminator 4
- The Assassination of Jesse James
- The Dark Is Rising
- The Flock
- The Half Life of Timofey Berezin
- The Hills Have Eyes II
- The Hitcher
- The Hoax
- The Host
- The Ice at the Bottom of the World
- The Invasion
- The Invisible
- The Kingdom
- The Last Legion
- The Last Sin Eater
- The Lives of Others
- The Messengers
- The Namesake
- The Nine season 2
- The Number 23
- The OC season 5
- The Office season 4
- The Reaping
- The Simpsons
- The Spiderwick Chronicles
- The TV Set
- The Transformers
- The Ultimate Gift
- The Valet
- The Waterhorse
- The Astronaut Farmer
- This Christmas Til Death season 2
- Trade
- Trick 'r Treat
- Ugly Betty season 2
- Underdog
- Untraceable
- Vacancy
- Vantage Point
- Veronica Mars - next season
- Whisper
- Wild Hogs
- Without a Trace - next season
- Wonder Woman
- Zodiac
With one of the following extensions:
Recommendations
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":
- Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
- If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
- Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
- Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
- Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
- Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
- Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
- Disable System Restore (Windows Me/XP).
- Update the virus definitions.
- Run a full system scan.
- Delete any values added to the registry.
- Find and stop the service.
- Reinstall your Symantec antivirus program.
For specific details on each of these steps, read the following instructions.
1. To disable System Restore (Windows Me/XP) If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.
Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.
Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.
For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:
Note: When you are completely finished with the removal procedure and are satisfied that the threat has been removed, reenable System Restore by following the instructions in the aforementioned documents.
For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article:
Antivirus Tools Cannot Clean Infected Files in the _Restore Folder (Article ID: Q263455).
2. To update the virus definitions Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:
- Running LiveUpdate, which is the easiest way to obtain virus definitions.
- Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted daily. You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to Virus Definitions (Intelligent Updater).
The latest Intelligent Updater virus definitions can be obtained here:
Intelligent Updater virus definitions. For detailed instructions read the document:
How to update virus definition files using the Intelligent Updater.
3. To run a full system scan - Start your Symantec antivirus program and make sure that it is configured to scan all the files.
- Run a full system scan.
- If any files are detected, follow the instructions displayed by your antivirus program.
Important: If you are unable to start your Symantec antivirus product or the product reports that it cannot delete a detected file, you may need to stop the risk from running in order to remove it. To do this, run the scan in Safe mode. For instructions, read the document,
How to start the computer in Safe Mode. Once you have restarted in Safe mode, run the scan again.
After the files are deleted, restart the computer in Normal mode and proceed with the next section.
Warning messages may be displayed when the computer is restarted, since the threat may not be fully removed at this point. You can ignore these messages and click OK. These messages will not appear when the computer is restarted after the removal instructions have been fully completed. The messages displayed may be similar to the following:
Title: [FILE PATH]
Message body: Windows cannot find [FILE NAME]. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.
4. To delete the value from the registry Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. For instructions refer to the document:
How to make a backup of the Windows registry.
- Click Start > Run.
- Type regedit
- Click OK.
Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.
- Navigate to and delete the following registry entries:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"SvcHost" = "C:\WINDOWS\system32\svchost.exe:svchost.exe"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\"[WORM FILE NAME]" = "[WORM FILE NAME]:*:enabled:@xpsp2res.dll,-22019"
- Exit the Registry Editor.
5. To find and stop the service- Click Start > Run.
- Type services.msc, and then click OK.
- Locate and select the service that was detected.
- Click Action > Properties.
- Click Stop.
- Change Startup Type to Manual.
- Click OK and close the Services window.
- Restart the computer.
6. To reinstall your Symantec antivirus programAs this risk attempts to remove the files and registry subkeys that your Symantec antivirus program uses, you may need to reinstall the program. If your Symantec antivirus program is not working properly, uninstall, and then reinstall it.
