My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Worm.Winko.I

MEDIUM
LOW
approx 20500 bytes

Symptoms

Presence of file c:\auto.exe

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Mihai Razvan Benchea, virus researcher

Technical Description:

The filename of the malware will pe considered to be <PseudoRandomName>.

The malware is made from two parts, each one with its one purpose depending on the location where the malware runs. The first part, the one that runs when the malware is injected in winlogon.exe, is the protection one. On every three seconds it adds the dll to the registry so it can start on every windows startup. It creates the keys

 

HKLM\SYSTEM\CurrentControlSet\Services\<PseudoRandomName>

 

and the values

HKLM\SYSTEM\CurrentControlSet\Services\<PseudoRandomName>

  • Type = 0x00000010
  • Start = 0x00000002
  • ErrorControl = 0x00000001
  • ImagePath = "%System%\<PseudoRandomName>..EXE -k"
  • DisplayName = "<PseudoRandomName2>"
  • ObjectName = "LocalSystem"
  • Description = "<PseudoRandomName>"

HKCU\SYSTEM\CurrentControlSet\Services\<PseudoRandomName>

 

and the values

HKCU\SYSTEM\CurrentControlSet\Services\<PseudoRandomName>

  • Type = 0x00000010
  • Start = 0x00000002
  • ErrorControl = 0x00000001
  • ImagePath = "%System%\<PseudoRandomName>.EXE -k"
  • DisplayName = "<PseudoRandomNam2e>"
  • ObjectName = "LocalSystem"
  • Description = "<PseudoRandomName>"

 

It also disables Error Reporting by deleting all registry keys and values from HKLM\System\CurrentControlSet\Services\Ersvc

It copies itself c:\auto.exe and creates a file autorun.inf in which it writes

[AutoRun]

open = auto.exe

ShellExecute = auto.exe

shell\Auto\command = auto. exe

This will start the malware every time the c:\ drive is opened in explorer.exe. Another role for the winlogon part is to download and install updates. The malware tries to download a file names update.txt fom wget http://33.xinga[hidden].cn/soft//update.txt. This is an ini file which contains lots of informations needed for the update of the malware like the new version of the malware, the url where the new version is located, the url for the startpage,an url that will be used to count how many times the update has been accessed by the infected computer, a value that will tell the program after how many minutes the install of the update should begin,

 

The last thing that this part of the malware does is to injects itself into all running processes.

 

The second part runs from explorer.exe.

The first thread from this part is uded to access alexa website. The results are sent as they were sent by alexa toolbar v7.2.

The second thread is used to open an internet explorer window to a link read by the malware from the downloaded file.

The third thread download and executes files from http://211.100.[hidden].4/