Threat Spotlight

For the week of 21 Dec 2009
Threat 1

Malware leaves telltale signs of its presence

Threat Name:

Worm: W32/Autorun-AVH

Users at Risk:

Windows users

Also Known As:

  • Kaspersky: Trojan.Win32.Autoit.abl
  • McAfee: Generic Malware.bj
  • Microsoft: Worm:Win32/Katar.A
  • Symantec: W32.SillyFDC
  • Trend Micro: TROJ_DROPPER.PZQ

Further Reading:

SophosLabs Blog: Telltale signs

Removal Instructions:

Please follow the instructions for removing worms.

About:

Unlike most modern malware, which strives to be as invisible as possible, W32/AutoRun-AVH makes subtle but visible changes to a computer. This malware is a worm for the Windows platform that spreads via removable shared drives.

W32/AutoRun-AVH includes functionality to:

  • Copy itself to the <WINDOWS> folder
  • Run automatically
  • Copy itself to the <System> folder
  • Steal confidential information

When W32/AutoRun-AVH is installed, it creates the following files:

<Startup>\(Empty).LNK (detected as W32/AutoRun-AVH)
<System>\gHost.exe (detected as W32/AutoRun-AVH)
<Windows>\inf\Autoplay.inF (detected as W32/Autorun-AOC)
<Windows>\KHATARNAKH.exe (detected as W32/AutoRun-AVH)
<System>\KHATRA.exe (detected as W32/AutoRun-AVH)
<Root>\KHATRA.exe (detected as W32/AutoRun-AVH)
<Windows>\Xplorer.exe (detected as W32/AutoRun-AVH)

It also sets these registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoControlPanel
1

HKCU\Software\Microsoft\Internet Explorer\Main
Window Title
Internet Exploiter

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
G_Host
<System>\gHost.exe /Reproduce

The registry entries are created under:

HKLM\SOFTWARE\KHATRA\
Threat 2

Spammers try Western Union transfer lures

Threat Name:

Trojan: Troj/BredoZp-L

Users at Risk:

Windows users

Also Known As:

  • Kaspersky: Backdoor.Win32.Bredolab.aug
  • Microsoft: TrojanDownloader:Win32/Bredolab.X

Removal Instructions:

Please follow these instructions for removing Trojans.

About:

Troj/BredoZp-L is the latest attempt to slip Mal/Bredo-A past gateway scanners. As in previous cases (see previous Threat Spotlight) the cybercriminals use spam and social engineering to distribute their malware.

Infected files typically arrive through spam, pretending to be Western Union money transfer.

Subjects:

Western Union. You can get money transfer! Order NR.2345
Western Union. MTCN Details. Order NR.3538
Western Union. You should receive money transfer. Order NR.6181

The attachment is a zip file, detected as Troj/BredoZp-L, that contains an executable detected as Mal/Bredo-A.

Zip filenames: WU_Details_<5 random alphanumeric characters>.zip

Spam messages are then sent from infected bots. The malware calls home with a URL of the form:

http://<domain>.<tld>/public/controller.php?action=bot%26entity_list=%26uid=%26first=1%26guid=<NUMBERS>%26v=<NUMBERS>%26rnd=<NUMBERS>

Trojn/BredoZp-L copies itself to %TEMP% folder with filename such as: %WINDOWS%\Temp\~TM4.tmp

It also copies to %STARTMENU%\Programs\Startup\ with random name (e.g. isqsys32.exe), causing execution on system startup. The original file is then deleted.

Threat 3

Old viruses never die

Threat Name:

Virus: W32/Sality-AM

Users at Risk:

Windows users

Removal Instructions:

Please follow the instructions for disinfecting PE executables.

About:

W32/Sality-AM is a member of the Sality family of virusess for Windows. W32/Sality-AM has been around since January 2008, but viruses remain infectious long after their original release. Recently this particular virus has had a minor resurgence.

W32/Sality-AM may also spread by copying itself to removable devices and network shares. It typically drops a hidden file autorun.inf to run copies of itself automatically - this file is detected as Mal/AutoInf-A.

When first run, the W32/Sality-AM may infect executables in the root folder, files on network shares.

The initial dropped files includes dropping as:

rejoice101.exe

It is also known to drop drivers in the system32 drivers folder. The driver can have different names but is detected as Troj/RKSal-Gen.

Mal/Sality-AM will attempt to delete a large swathe of files related to anti-virus and anti-spyware software. It will modify a large list of registry keys including the following list:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\system
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKLM\SOFTWARE\Microsoft\Security Center
HKLM\System\CurrentControlSet\Control\SafeBoot
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

Mal/Sality-AM connects to a large list of hard-coded website to download further malware. The dropped driver files also acts as a filter driver which prevents access to various security websites.

Users of the HIPS runtime behavior analysis features of Sophos Endpoint Security have additional protection against Mal/Sality-AM. The actions of this malware trigger the HIPS rules HIPS/FileMod-005, HIPS/RegMod-016 and HIPS/RegMod-013.

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy