My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Evaman.C@mm (Win32.Linort.A@mm)

MEDIUM
LOW
21504 bytes (packed with UPX)
(I-Worm.Mydoom.o (KAV))

Symptoms

Presence of "winlibs.exe" in %system% (e.g. C:\Windows\System32) folder and in processes list.

The registry key "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" or "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" containing the string "winlibs.exe" which points to "%system%\winlibs.exe".

Removal instructions:

Manual removal:
* open Task Manager by pressing [CTR]+[ALT]+[DEL] in Win9x/ME or [CTRL]+[SHIFT]+[ESCAPE] for Win2000/XP
* use End Process in Processes tab on winlibs.exe
* open Registry Editor typing [WIN]+[R]regedit[ENTER]
* delete the registry keys   "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\winlibs.exe" and "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\winlibs.exe"
* delete %system%\winlibs.exe

Automatic removal: let BitDefender disinfect infected files

Analyzed By

Mircea Ciubotariu BitDefender Virus Researcher

Technical Description:

This worm is a typical mass-mailer arriving in infected attachments as zip archives and has a few improvements from its preceeding variants.

When run it creates a thread which scans all processes and their module names if they contain certain sub-strings, in which case the process is killed. These sub-strings are: uba, mc, Mc, av, AV, cc, sym, Sym, nv, can, scn, java, xp.exe, ecur, nti, erve, sss, iru, ort, SkyNet and KV.

Then it checks some registry key marks, to see if this is the first execution of the worm on victim machine. These keys are    "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\winlibs" and "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\winlibs".

If none of them is found they are created and a "notepad" instance is spawned in order to foul the user.

Otherwise it attempts to create the mutex "NorthernLightMixed" to avoid a duplicate process running simultaneously.

Next the worm installs by self-copying in %system% directory with the name "winlibs.exe" followed by setting strings in "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" or "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" containing "winlibs.exe" which points to "%system%\winlibs.exe".

Then it checks that the local date is above January 1, 2006 in which case the worm logs off the current user. Note that it already is set to run at startup and this results in a prompt log off just after any user logs in.

Finally it creates a thread to send emails and begins harvesting of email addresses. It searches in three stages:
1. Windows Address Book (WAB) via "HKCU\Software\Microsoft\WAB\WAB4\Wab File Name" registry entry
2. recursively in TIF using the location "%USERPROFILE%\Local Settings\Temporary Internet Files"
3. recursively in drives from C:\ through Z:\ but only physical and ramdisk ones

The following file types are scanned for email addresses when recursive scanning is used: txt,dhtm, msg, htm, xml, eml, html, sht, shtm, shtml, jse, jsp, js, php, cfg, asp, ods, mmf, dbx, tbb, adb, pl and wab.

The sender may be one of the following: mike@, jennifer@, david@, linda@, susan@, nancy@, pamela@, eric@, kevin@, mary@, jessica@, patricia@, barbara@, karen@, sarah@, robert@, john@, daniel@, jason@ or joe@ with different domain names.

Attachment name is composed of one of the following names: mail, message, attachment, transcript, text, document, file or readme combined with one the following extensions: .exe, -txt.exe, -htm.exe or -txt.scr.

Subject may be one of the following:
SN: New secure mail
Secure delivery
failed transaction
Re: hello (Secure-Mail)
Re: Extended Mail
Delivery Status (Secure)
Re: Server Reply
SN: Server Status


The email addresses are filtered so that their domain names do not contain one of the following sub-strings: .edu, Bug, ugs, bug, upport, ICROSOFT, icrosoft, oot, dmin, ymat, avp, ecur, @MM, ebmast, help, opho, inpris, omain, senet, panda, 32., @mm, msn, inux, umit, nfo, irus, buse, orton, cafee, spam, Spam, SPAM, ntivi, eport, user, inzip, inrar, rend, pdate, USER, ating, ample, ists, persk, ccoun, ompu, msdn, YOU, you, oogle, arsoft, otmail, sarc, soft, ware, .gov, .mil, cribe, list, eturn, omment, Sale, sale, CRIBE, gmail, ruslis, ibm, win and !.

It was compiled with Visual C++ 6.00 and packed with UPX.