Sức Khỏe

Worm:Win32/Chupik.A

Posted on by admin2

Worm:Win32/Chupik.A is a Visual Basic-compiled worm that propagates via fixed media; for example, a hard disk drive or flash drive. It may also download files, possibly malicious, onto your computer.

Installation

When executed, the worm drops its copy to the following:

  • %windir%h2s.exe
  • %windir%nacl.exe
  • %windir%systemlsass.exe
  • %windir%userinit.exe

Note that %windir% and is a hard-coded path on the malware.

It then creates and opens a folder in the current directory where the malware has been executed, with a folder using the same name as the executable file.

For example, if the file name of the executable is “Tools.exe” then it will create a folder named “Tools” and open it. It may do this to trick you into thinking that this is just a normal folder, as the malware uses a folder icon.

It makes the following changes to the registry to ensure it runs at each Windows start:

In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRunSets value: “pikachu”With data: “C:WINDOWSnacl.exe”

In subkey: HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonModifies value: “Userinit”With data: “C:WINDOWSsystem32userinit.exe,” To value: “Userinit”With data: “C:WINDOWSuserinit.exe”

Spreads via…

Fixed and removable drives

Worm:Win32/Chupik.A drops a copy of itself to any available fixed or removable drive.

On a hard disk drive, the worm enumerates all the drives on the computer except for the root drive (usually C:).

Once a drive has been found, it will search for all the folders in that drive, and then drop its copy as an executable file with the same name as the folder. It then changes the attributes of the folder to be hidden.

For example, if there is a folder named “Games” in the drive, then the malware will drop its copy as “Game.exe” and so on.

It also places an autorun.inf file in the root directory of the targeted drive. Such autorun.inf files contain execution instructions for the operating system, so that when the network and/or removable drive is accessed from another computer supporting the Autorun feature, the malware is launched automatically. This is particularly common malware behavior, generally utilized in order to spread malware from computer to computer. It should also be noted that autorun.inf files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation CDs.

On a flash drive, Worm:Win32/Chupik.A drops its copy as “h2o.exe” together with an Autorun.inf file, so that the malware will be executed when Autorun is enabled.

Payload

Modifies system settings

Worm:Win32/Chupik.A modifies the affected computer system’s settings by making the following changes to the registry:

It disables the system utility Task Manager by making the following registry modification:

In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemSets value: “DisableTaskMgr”With data: “dword:00000001”

It disables registry editing tools by making the following registry modification:

In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemSets value: “DisableRegistryTools”With data: “dword:00000001”

It restricts the use of Microsoft Management Console (MMC) snap-ins.

In subkey: HKCUSoftwarePoliciesMicrosoftMMCSets value: “RestrictToPermittedSnapins”With data: “dword:00000001”

It disables Command Prompt by making the following registry modification:

In subkey: HKCUSoftwarePoliciesMicrosoftWindowsSystemSets value: “DisableCMD”With data: “dword:00000001”

It removes the Folder Options item from all Explorer menus and the Control Panel by making the following registry modification:

In subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerSets value: “NoFolderOptions”With data: “dword:00000000”

It removes the “Run” command from the Start menu:

In subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerSets value: “NoRun”With data: “dword:00000000”

It overrides the display settings so files with the ‘hidden’ attribute are not displayed; it does this by making the following registry modification:

In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvancedSets value: “Hidden”With data: “dword:00000000”

It stops the display of files that have ‘system’ and ‘hidden’ attributes by making the following registry modification:

In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvancedSets value: “SuperHidden”With data: “dword:00000000”

It modifies the ‘Show hidden files and folders’ options in the ‘Folders Options’ menu in Windows Explorer by making the following registry modification:

In subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvancedFolderHiddenNOHIDDENSets value: “CheckedValue”With data: “dword:00000002”

In subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvancedFolderHiddenSHOWALLSets value: “CheckedValue”With data: “dword:00000000″In subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvancedFolderSuperHiddenSets value: “CheckedValue”With data: “dword:00000000”

In subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvancedFolderHideFileExtSets value: “UncheckedValue”With data: “dword:00000001”

Deletes the following registry entry to prevent you from being able to boot in safe-mode:

In subkey: HKLMSYSTEMCurrentControlSetControlSafeBootMinimal{4D36E967-E325-11CE-BFC1-08002BE10318}Sets value: “@”With data: “DiskDrive”

In subkey: HKLMSYSTEMCurrentControlSetControlSafeBootNetwork{4D36E967-E325-11CE-BFC1-08002BE10318}Sets value: “@”With data: “DiskDrive”

Drops files

Worm:Win32/Chupik.A creates the following shared folder on your computer:

C:Documents and SettingsTemp

It does this by executing the following command:

“net share “phim_hai_hay=C:Documents and SettingsTemp””

The worm then drops a copy of itself as the following file:

tuyen_tap_hai_2008.exe

It queries the shared folder list using the following registry key, then drops its file “phim hai cuc hay.exe” to any existing shared folders it finds:

HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerWorkgroupCrawlerShares

Downloads arbitrary files

In the wild, we have observed the worm downloading arbitrary files onto infected computers. We have observed the worm downloading files from the following URLs:

  • cmdcmdcmd.php0h.com/ {file}
  • ewqscxz.fateback.com/ {file}
  • qweszxc.50webs.com/ {file}
  • www11.asphost4free.com/ewqscxz/ {file}
  • www41.websamba.com/aibietdc/ {file}

Where {file} can be any of the following:

  • a.jpg
  • 1.jpg
  • 2.jpg
  • 3.jpg
  • 4.jpg
  • 5.jpg
  • 6.jpg

For example, download links can be:

  • cmdcmdcmd.php0h.com/1.jpg
  • ewqscxz.fateback.com/5.jpg
  • www41.websamba.com/aibietdc/3.jpg

The downloaded files maybe saved and executed on the following paths:

  • c:windowssystem32link.sys
  • c:windowssystem32MSINET.OCX
  • c:windowssystem32MSWINSCK.exe
  • c:windowssystem32rar.exe
  • c:windowssystem32svch0st.exe
  • c:windowssystem32w
  • c:windowssystem32y
  • c:windowstempper.exe

Terminates processes and deletes files

The worm may terminate processes that contain any of the following strings:

  • avg
  • bhome
  • bit
  • blupro
  • bpro
  • kav
  • nod

Note that these strings are often associated with security-related processes.

It also deletes files with a .GHO file extension, as well as the following files:

  • c:$Persi0.sys
  • c:Persi0.sys

Modifies Hosts file

Worm:Win32/Chupik.A modifies the Windows Hosts file. The local Hosts file overrides the DNS resolution of a website URL to a particular IP address. Malware may make modifications to the Hosts file in order to redirect specified URLs to different IP addresses. Malware often modifies your computer’s Hosts file in order to stop you from accessing websites associated with particular security-related applications (such as antivirus, for example).

The worm replaces the existing content of the Hosts file with the following content:

  • 127.0.0.1 9down<dot>com
  • 127.0.0.1 bkav.com<dot>vn
  • 127.0.0.1 download.avg<dot>com
  • 127.0.0.1 download.com<dot>vn
  • 127.0.0.1 download.eset<dot>com
  • 127.0.0.1 download.f-secure<dot>com
  • 127.0.0.1 download.softpedia<dot>com
  • 127.0.0.1 download1us.softpedia<dot>com
  • 127.0.0.1 free.avg<dot>com
  • 127.0.0.1 mirror02.gdata<dot>de
  • 127.0.0.1 spftrl.digitalriver<dot>com
  • 127.0.0.1 www<dot>9down.com
  • 127.0.0.1 www<dot>bitdefender.co.uk
  • 127.0.0.1 www<dot>bitdefender.com
  • 127.0.0.1 www<dot>bkav.com.vn
  • 127.0.0.1 www<dot>download.com
  • 127.0.0.1 www<dot>download.com.vn
  • 127.0.0.1 www<dot>grisoft.cz
  • 127.0.0.1 www<dot>kaspersky.com
  • 127.0.0.1 www<dot>symantec.com
Additional information

The following is a list of the contents of the Autorun.inf file:

[AutoRun] ShElLOpEncoMMand = h2o.exe sheLlOPeNDeFaULT=1 SHeLLExPLOrEcoMMAnD = h2o.exe OpEN= h2o.exe sHELlAuToplaYcOMMAnd=h2o.exe

Analysis by Ric Robielos

admin2