2 min read

Weekly Review - The worm that goes against

Bogdan BOTEZATU

February 09, 2009

Weekly Review - The worm that goes against

Trojan.Iframe.FO

Another
JavaScript that infects possibly clean websites. It creates 2 invisible iframes
(height 0) in the main page and detects which browser the victim is using.
After this it loads different malware spreading pages inside the iframes in an
attempt to infect the user.

The
infected computers are marked with a cookie.

 

Win32.Worm.Delf.NFW

This is
worm written in Delphi and seems to originate in Romania. It uses common
Peer-2-Peer software to spread (StrongDC, ApexDC, DCPlusPlus and oDC).

 

Once
executed, the worm creates a file named System32.F2.sys which it fills with a
huge list of movie, software, crack and keygen names. After this, it checks for
the existence of the above mentioned DC clients and will attempt to open the
DCPlusPlus.xml file, usually found in the same folder of the application. This
folder contains the clients configuration directives and the list of shared
folders it can spread files from.

It will add
the entry C:Program
FilesCommon FilesSystem Internals 32bits and create the folder.

 

In
it, the worm will create directories of every entry found in
 System32.F2.sys. In those directories it will
place copies of itself, with double extentions, for example:
some_new_movie.avi.exe or some_new_movie.sub.exe. This way the worm will create
over 1000 folders, in each one at least one copy of itself. Next time the
infected user start his DC client, it will hash and share the whole folder,
allowing the worm to spread.

 

It also
creates the registry entry: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunTuneUp
which points to the file: C:Program FilesCommon FilesSystem Internals
32bitsTuneUp.exe  which will ensure the
worm is executed on every system start.

 

It searches
and deletes every file on the disk that contains one of the following sequences
of characters: Adrian
Minune, Adi De La Valcea, Adi De Vito, Alex de la Orastie, Ali Zaidi, Ady
Pustiu, Babi Minune, Corina, Bocsa Copilul de Aur, Costel Biju, Ciofu, Cristi
Dules, Cristian Rizescu, Dan Bursuc, danezu, Denisa, De Marco, Dj. Bengos, DJ
Sebi, Don Genove, Elvis de la Bistrita, Florin Cristea, Florin Minune, Florin
Mitroi, Florin Peste, Florin Salam, Fratii de Aur, Laura Vass, Liviu Pustiu,
Liviu Guta, Jean de la Craiova, K-meleon, Kristiyana, Ionut Cercel, Marius de
la Focsani, Mihaela Minune, Mihai Priescu, Mihaita Piticu, Minodora, Mr.Juve,
Nea Kalu, Nek, Nicolae Guta, Nicoleta Guta, Octavian Francezul, Pedro Petrica,
Cercel, Printesa de Aur, Roxana Printesa Ardealului, Rudy de la Valcea, Sandu
Ciorba, Sorinel Pustiul, Sorinel Pustiu, Susanu, Suzana, Vali Vijelie, Violeta
Constantin, Zaku.

 

It connects
to serveral websites hosting media files (usually .mp3) and will attempt to
download some of them in the folder C:Program
FilesCommon FilesSystem Internals 32bitsres
. Here are a
couple of example domains:

graiulneamului.ro

proconsul.com.ro

earhiva.info/arhiva/cantari%20ortodoxe

downtown.evonet.ro/parazitii

 

The worm
may also overwrite the hosts file with one of its own, that will redirect any
acces to various music, warez or pornographic web-sites to the localhost
(making them inaccesible).

Information in this article is
available courtesy of BitDefender virus researchers: Lutas Andrei Vlad

tags


Author



Right now

Top posts

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read
The Top Five Security Risks Smartphone Users Face Today

The Top Five Security Risks Smartphone Users Face Today

July 02, 2021

4 min read
Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

July 02, 2021

3 min read
Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

June 30, 2021

2 min read
Mobile security threats: reality or myth?

Mobile security threats: reality or myth?

June 13, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

How to keep your Android device immune to malicious vaccine themed apps How to keep your Android device immune to malicious vaccine themed apps
Cristina POPOV

April 22, 2021

2 min read
Facebook Takes Down Two Hacking Groups Operating out of Palestine Facebook Takes Down Two Hacking Groups Operating out of Palestine
Silviu STAHIE

April 22, 2021

2 min read
Ransomware attack causes supermarket cheese shortage in the Netherlands Ransomware attack causes supermarket cheese shortage in the Netherlands
Graham CLULEY

April 13, 2021

2 min read