My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Worm.McMaggot.A

MEDIUM
MEDIUM
~450KB
(MyDoom)

Symptoms

Registry:
Presence of:
"Wind River Systems" in "HKLM\Software\Microsoft\Windows\CurrentVersion\Run"
with data "%WinDir%\system32\vxworks.exe"

"QnX" in "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
with data "%WinDir%\system32\qnx.exe"

"QnX" in HKCU\Software\Microsoft\Windows\CurrentVersion\Run
with data "%WinDir%\system32\qnx.exe"

"{77520Q86-864L-N81R-0R2W-7U2G0P22436U}" subkey in
"HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" with value "qnx.exe"

Disk:
  file vxworks.exe and qnx.exe in %WinDir%\system32\
  file drm.ocx in %WinDir%\ (file has attribute hidden)

Network:
  network activity on port 25

Removal instructions:

Please let BitDefender remove your infected files.

Analyzed By

Marius TIVADAR, virus researcher

Technical Description:

         After decrypting its data, worm is using www.whatismyip.com to get IP address of the newly infected host. Next, it will harvest e-mail addresses: It will extract e-mail addresses from Thunderbird, MS Outlook, and will also search in files from all devices.

It will install itself in registry, this way will make sure it survives after reboot.

Will lower your system security by editing registry key:
   "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations"
   value
   "LowRiskFileTypes"='.zip;.rar;.cab;.txt;.exe;.reg;.msi;.htm;.html;.bat;.cmd;.pif;.scr;.mov;.mp3;.wav'

This worm should also set registry key:
   "HKCU\Software\Microsoft\Internet Explorer\Download"
    values:
      CheckExeSignatures="no"
      RunInvalidSignatures=0x1
but because of a bug in its code, won't do this correctly.

These settings in registry will allow users to automatically download and execute files from internet without any popups informing you about the security problem.

It Will add itself to the firewall's Authorized applications list.

in order to do this, modifies registry key:
"HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List"   will add  "%WinDir%\system32\vxworks.exe", this way windows firewall will permit internet activity for this worm.

Meanwhile, another component detected as Backdoor.Bot.67413 is loaded. This one has backdoor capability, and will also log everything you type, and save in a file (drm.ocx). Then will send this file to a server.

Spreading mechanism:
Worm will spread by copying itself into shared folders of Peer-2-Peer Applications (Kazza, DC++, eMule, Morpheus, Tesla, etc) using the following "hot" file names:

"Windows XP PRO Corp SP3 valid-key generator.exe"
"Kaspersky Internet Security 2009 keygen.exe"
"Tuneup Ultilities 2008.exe"
"Joannas Horde Leveling Guide TBC Woltk.exe"
"Wow WoLTk keygen generator-sfx.exe"
"FOOTBALL MANAGER 2009.exe"
"Winamp.Pro.v6.53.PowerPack.Portable [XmaS edition].exe"
"Half life 3 preview 10 minutes gameplay video.exe"
"Sophos antivirus updater bypass.exe"
"xbox360 flashing tools and guide including bricked drive fix.exe"
"Google Earth Pro 4.2. with Maps and crack.exe"
"Ultimate xxx password generator 2009.exe"
"Perfect keylogger family edition with crack.exe"
"Divx Pro 6.8.0.19 + keymaker.exe"
"G-Force Platinum v3.7.5.exe"
"Power ISO v4.2 + keygen axxo.exe"
"Super Utilities Pro 2009 11.0.exe"
"CleanMyPC Registry Cleaner v6.02.exe"
"Alcohol 120 v1.9.7.exe"
"Silkroad Online guides and wallpapers.exe"
"Download Boost 2.0.exe"
"Daemon Tools Pro 4.11.exe"
"Absolute Video Converter 6.2.exe"
"Microsoft Visual Studio 2008 KeyGen.exe"
"Smart Draw 2008 keygen.exe"
"Motorola, nokia, ericsson mobil phone tools.exe"
"Nero 8 Ultra Edition 8.0.3.0 Full Retail.exe"
"Myspace theme collection.exe"
"Internet Download Manager V5.exe"
"Opera 10 cracked.exe"
"Download Accelerator Plus v8.7.5.exe"
"LimeWire Pro v4.18.3.exe"
"Acker DVD Ripper 2009.exe"
"Ultimate ring tones package3 (Crazy In Love, U Got It Bad, 50 Cent - P.I.M.P, Jennifer Lopez Feat. Ll Cool J - All I Have, 50 Cent - 21 Question).exe"
"Ultimate ring tones package2 (Lil Wayne - Way Of Life,Khia - My Neck My Back Like My Pussy And My Crack,Mario - Let Me Love You,R. Kelly - The Worlds Greatest).exe"
"Ultimate ring tones package1 (Beethoven,Bach, Baris Manco,Lambada,Chopin, Greensleves).exe"
"Norton Anti-Virus 2009 Enterprise Crack.exe"
"BitDefender AntiVirus 2009 Keygen.exe"
"Ad-aware 2008.exe"
"Red Alert 3 keygen and trainer.exe"
"TCN ISO SigmaX2 firmware.bin.exe"
"TCN ISO cable modem hacking tools.exe"
"WinRAR v3.x keygen RaZoR.exe"
"VmWare keygen.exe"
"Adobe Photoshop CS4 crack.exe"
"Adobe Acrobat Reader keygen.exe"
"Password Cracker.exe"
"Windows 2008 Enterprise Server VMWare Virtual Machine.exe"
"Youtube Music Downloader 1.0.exe"
"K-Lite codec pack 4.0 gold.exe"

Will also spread by copying itself into any removable media connected to the system, creating an "autorun.inf" file to execute the worm when the device is connected to another system.

This worm is also a mass-mailer using its own SMTP engine, like many others. It sends itself to the harvested e-mail addresses.

Mails can arrive in various types:

Subject: "Mcdonalds wishes you Merry Christmas!"
Sender:  "giveaway@mcdonalds.com"
Attachment: coupon.zip

or

Subject: "Coca Cola is proud to accounce our new Christmas Promotion." 
Sender: "noreply@coca-cola.com"
Attachment: promotion.zip

or

Subject: "You've received A Hallmark E-Card!'"
Sender: "postcards@hallmark.com"
Attachment: postcard.zip

Screen captures below







Attachments are compressed files, containing the worm itself.