My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Dropped:Win32.Warezov.DO@mm

MEDIUM
MEDIUM
~ 28 Kb
(Win32/Stration, Win32.HLLM.Limar, Win32/Stratio, Win32/Strati, Email-Worm.Win32.Warezov)

Symptoms

Unknown processes running from the System32 directory with names like FFFFFFFFFF.exe or wwwwwwwwww.exe. Security products being unable to start.

Removal instructions:

Please let BitDefender delete your files.

Analyzed By

Attila Balazs, virus researcher

Technical Description:

This malware is composed of three parts:

  1. A dll with the size of 8704 bytes which gets loaded in every process and has the purpose of killing different windows services (related to security products and Windows Update). It acomplishes this by registering itself in the AppInit_DLLs value of the HKEY_CURRENT_MACHINE \\ SOFTWARE \\ Microsoft \\ Windows NT \\ CurrentVersion \\ Windows key. The targeted services are:

    wuauserv
    SNDSrvc
    kavsvc
    NOD32krn
    wuauclt
    tbmon
    mcupdate
    luinvk
    lsetup
    alunotify
    ndetect
    luall
    aupdaten
    kav
    autodown
    spiderml
    drwebupw
    upgrader
    wupdmgr
    sndsrvc
    kavsvc
    avgupsvc
    avginet

  2. A dropper with the size of 28708 packed with UPX. This drops the dowloader component (described below) in the System32 directory with a random name like FFFFFFFFFF.exe or wwwwwwwwww.exe and executes it.

  3. The downloader component has a size of 14336 bytes. Upon execution it shows a fake error message with the text "Unknown error" which has the purpose of misleading the user into believing that the executable did not run. Then it will wait until an internet connection is available, download an executable from a predefined URL and execute it. The downloading is done with the Winsock functions, and because of that it will fail if a given computer needs to go through a predefined proxy server to access the Internet.