 |
 |
 |
|
 |
 |
 |
|
 |
|
|
|||||||||
|
** W32.Blackmal.E **Brief Description | Characteristics | Recovery | Protection | Further InformationBrief Description: -------------------- W32.Blackmal.E@mm is a mass-mailing worm that attempts to spread through network shares, lowers security settings, and will overwrite files with the following extensions on the 3rd of every month (Feb 3rd, Mar 3rd, Apr 3rd, etc). *.doc *.xls *.mdb *.mde *.ppt *.pps *.zip *.rar *.psd *.dmp This worm also removes registry keys and deletes files associated with several antivirus programs including SAV. Infected machines will need to not only have the worm removed but also have SAV reinstalled as the worm renders it nonfunctional. A very small number of infections were reported on campus. Characteristics: ------------------ The email the worm generates will have the following characteristics: Subject: One of the following: *Hot Movie* A Great Video Fw: Fw: DSC-00465.jpg Fw: Funny :) Fw: Picturs Fw: Real show Fw: SeX.mpg Fw: Sexy Fwd: Crazy illegal Sex! Fwd: image.jpg Fwd: Photo give me a kiss Miss Lebanon 2006 My photos Part 1 of 6 Video clipe Photos Re: School girl fantasies gone bad Message body: One of the following: Note: forwarded message attached. You Must View This Videoclip! >> forwarded message Re: Sex Video i just any one see my photos. It's Free :) The Best Videoclip Ever Hot XXX Yahoo Groups Fuckin Kama Sutra pics ready to be FUCKED ;) forwarded message attached. VIDEOS! FREE! (US$ 0,00) What? i send the file. Helloi attached the details. Thank you the file i send the details hello, Please see the file. how are you? i send the details. Attachment: One of the following: 007.pif 392315089702606E-02,.scR 677.pif Adults_9,zip.sCR Arab sex DSC-00465.jpg ATT01.zip.sCR Attachments[001],B64.sCr Clipe,zip.sCr document.pif DSC-00465.Pif DSC-00465.pIf eBook.pdf eBook.PIF image04.pif New Video,zip New_Document_file.pif photo.pif Photos,zip.sCR School.pif SeX,zip.scR Sex.mim Video_part.mim WinZip,zip.scR WinZip.BHX WinZip.zip.sCR Word XP.zip.sCR Word.zip.sCR 04.pif DSC-00465.Pif DSC-00465.pIf image04.pif The attachment may be an executable file or a MIME file that contains an executable file. Those attachments that are MIME files may have the following file names: 3.92315089702606E02.UUE Attachments[001].B64 Attachments00.HQX Attachments001.BHX eBook.Uu Original Message.B64 Sex.mim SeX.mim Video_part.mim WinZip.BHX Word_Document.hqx Word_Document.uu These files may also have one the following file names: 392315089702606E-02 Clipe Miss Photos Sweet_09 These file names will be combined with one of the following extensions: .b64 .BHx .HQX .mim .uu .UUE .XxE If the attachment is a MIME file, it may contain a file with one of the following file names: 392315089702606E-02,UUE[BLANK SPACES].scr Adults_9,zip[BLANK SPACES].scr ATT01.zip[BLANK SPACES].scr Atta[001],zip[BLANK SPACES].scr Attachments,zip[BLANK SPACES].scr Attachments[001],B64[BLANK SPACES].scr Clipe,zip[BLANK SPACES].scr New Video,zip[BLANK SPACES].scr Photos,zip[BLANK SPACES].scr SeX,zip[BLANK SPACES].scr WinZip,zip[BLANK SPACES].scr WinZip.zip[BLANK SPACES].scr Word XP.zip[BLANK SPACES].scr Word.zip[BLANK SPACES].scr When W32.Blackmal.E@mm is executed, it performs the following actions: 1. Copies itself as one of the following files: %Windir%\Rundll16.exe %System%\scanregw.exe %System%\Winzip.exe %System%\Update.exe %System%\WINZIP_TMP.EXE %System%\SAMPLE.ZIP %System%\New WinZip File.exe movies.exe Zipped Files.exe Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt. %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP). 2. Creates an empty .zip file using the same file name as the worm itself in the %System% folder. It then opens this file in order to hide its functionality. 3. Drops the file %System%\MSWINSCK.OCX which is a clean Microsoft control used for network connectivity. 4. Adds the value: "ScanRegistry" = "scanregw.exe /scan" to the following registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run so that it runs every time Windows starts. 5. Modifies the values: "WebView" = "0" "ShowSuperHidden" = "0" in the registry subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced 6. Modifies the value: "FullPath" = "0" in the registry subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState 7. Adds the values: "5f54e750-ce26-11cf-8e43-00a0c911005a" = "mnlnnimimnoiuilnvjkinnkitjwjnimntntm" "F4FC596D-DFFE-11CF-9551-00AA00A3DC45" = "mbmabptebkjcdlgtjmskjwtsdhjbmkmwtrak" "190B7910-992A-11cf-8AFA-00AA00C00905" = "gclclcejjcmjdcccoikjlcecoioijjcjnhng" "72E67120-5959-11cf-91F6-C2863C385E30" = "ibcbbbebqbdbciebmcobmbhifcmciibblgmf" "096EFC40-6ABF-11cf-850C-08002B30345D" = "knsgigmnmngnmnigthmgpninrmumhgkgrlrk" "556C75F1-EFBC-11CF-B9F3-00A0247033C4" = "xybiedobrqsprbijaegcbislrsiucfjdhisl" "4D553650-6ABE-11cf-8ADB-00AA00C00905" = "gfjmrfkfifkmkfffrlmmgmhmnlulkmfmqkqj" "57CBF9E0-6AA7-11cf-8ADB-00AA00C00905" = "aahakhchghkhfhaamghhbhbhkbpgfhahlfle" "9E799BF1-8817-11cf-958F-0020AFC28C3B" = "uqpqnqkjujkjjjjqwktjrjkjtkupsjnjtoun" "78E1BDD1-9941-11cf-9756-00AA00C00908" = "yjrjvqkjlqqjnqkjvprqsjnjvkuknjpjtoun" "DC4D7920-6AC8-11cf-8ADB-00AA00C00905" = "iokouhloohrojhhhtnooiokomiwnmohosmsl" "7C35CA30-D112-11cf-8E72-00A0C90F26F8" = "whmhmhohmhiorhkouimhihihwiwinhlosmsl" "2c49f800-c2dd-11cf-9ad6-0080c7e7b78d" = "mlrljgrlhltlngjlthrligklpkrhllglqlrk" "899B3E80-6AC6-11cf-8ADB-00AA00C00905" = "wjsjjjlqmjpjrjjjvpqqkqmqukypoqjquoun" "B1EFCCF0-6AC1-11cf-8ADB-00AA00C00905" = "qqkjvqpqmqjjpqjjvpqqkqmqvkypoqjquoun" "6FB38640-6AC7-11cf-8ADB-00AA00C00905" = "gdjkokgdldikhdddpjkkekgknesjikdkoioh" "E32E2733-1BC5-11d0-B8C3-00A0C90DCA10" = "kmhfimlflmmfpffmsgfmhmimngtghmoflhsg" "4250E830-6AC2-11cf-8ADB-00AA00C00905" = "kjljvjjjoquqmjjjvpqqkqmqykypoqjquoun" "BC96F860-9928-11cf-8AFA-00AA00C00905" = "mmimfflflmqmlfffrlnmofhfkgrlmmfmqkqj" to the registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Licenses which enables the %System%\MSWINSCK.OCX file to function. 8. Deletes the following files: %ProgramFiles%\DAP\*.dll %ProgramFiles%\BearShare\*.dll %ProgramFiles%\Symantec\LiveUpdate\*.* %ProgramFiles%\Symantec\Common Files\Symantec Shared\*.* %ProgramFiles%\Norton AntiVirus\*.exe %ProgramFiles%\Alwil Software\Avast4\*.exe %ProgramFiles%\McAfee.com\VSO\*.exe %ProgramFiles%\McAfee.com\Agent\*.* %ProgramFiles%\McAfee.com\shared\*.* %ProgramFiles%\Trend Micro\PC-cillin 2002\*.exe %ProgramFiles%\Trend Micro\PC-cillin 2003\*.exe %ProgramFiles%\Trend Micro\Internet Security\*.exe %ProgramFiles%\NavNT\*.exe %ProgramFiles%\Morpheus\*.dll %ProgramFiles%\Kaspersky Lab\Kaspersky Anti-Virus Personal\*.ppl %ProgramFiles%\Kaspersky Lab\Kaspersky Anti-Virus Personal\*.exe %ProgramFiles%\Grisoft\AVG7\*.dll %ProgramFiles%\TREND MICRO\OfficeScan\*.dll %ProgramFiles%\Trend Micro\OfficeScan Client\*.exe %ProgramFiles%\LimeWire\LimeWire 4.2.6\LimeWire.jar Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files. 9. Queries the following values: "Home Directory" "NAV" "Folder" "InstallLocation" under the following registry subkeys: HKEY_LOCAL_MACHINE\Software\INTEL\LANDesk\VirusProtect6\CurrentVersion HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\101 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Panda Antivirus 6.0 Platinum and deletes all .exe files found in the folders it locates. 10. Queries the value: "Folder" in the following registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\InstalledProducts\Kaspersky Anti-Virus Personal and deletes all files found in the folder it locates. 11. Queries the value: "Path" in the following registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Iface.exe and deletes all *.exe and *.ppl files in the folder it locates. 12. Closes windows whose title contains any of the following strings: SYMANTEC SCAN KASPERSKY VIRUS MCAFEE TREND MICRO NORTON REMOVAL FIX 13. Deletes the values: PCCIOMON.exe pccguide.exe Pop3trap.exe PccPfw Tmproxy McAfeeVirusScanService NAVAgent PCCClient.exe SSDPSRV rtvscn95 defwatch vptray ScanInicio APVXDWIN KAVPersonal50 kaspersky TMOutbreakAgent AVG7_Run AVG_CC Avgserv9.exe AVGW AVG7_CC AVG7_EMC VetAlert VetTray OfficeScanNTMonitor avast! DownloadAccelerator BearShare from the following registry subkeys: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices 14. Gathers email addresses from files with the following extensions: .htm .dbx .eml .msg .oft .nws .vcf .mbx .imh .txt .msf 15. The worm also gathers email addresses from files with one of the following strings in the full name : CONTENT. TEMPORARY 16. Attempts to send itself as an email to the addresses it gathers using its own SMTP engine. 17. Searches the network for the following shared folders, where it copies itself as WINZIP_TMP.EXE: ADMIN$ C$ 18. The worm also copies itself using the same file name to network shares protected by weak passwords. 19. Attempts to access the following URL: [http://]webstats.web.rcn.net/[REMOVED]/Count.cgi?df=765247 20. Enumerates the computers in the same domain as the host computer by using WNetOpenEnum. 21. Executes the command "net use \\[COMPUTER NAME] /user:administrator" to connect to that computer. Note: If the user on the compromised computer is already connected to some other network computer, the worm will be able to use that connection. [COMPUTER NAME] is a remote computer name and "" is a blank password. 22. Attempts to delete the following folders on the computer it connects to: \C$\Program Files\Norton AntiVirus \C$\Program Files\Common Files\symantec shared \C$\Program Files\Symantec\LiveUpdate \C$\Program Files\McAfee.com\VSO \C$\Program Files\McAfee.com\Agent \C$\Program Files\McAfee.com\shared \C$\Program Files\Trend Micro\PC-cillin 2002 \C$\Program Files\Trend Micro\PC-cillin 2003 \C$\Program Files\Trend Micro\Internet Security \C$\Program Files\NavNT \C$\Program Files\Panda Software\Panda Antivirus Platinum \C$\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal \C$\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro \C$\Program Files\Panda Software\Panda Antivirus 6.0 \C$\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus 23. Attempts to execute the following command on the compromised computer to execute its copy at the end of the hour: at [COMPUTER NAME] [HOUR]:59 /interactive \\[COMPUTER NAME]\Admin$\WINZIP_TMP.exe at [COMPUTER NAME] [HOUR]:59 /interactive \\[COMPUTER NAME]\C$\WINZIP_TMP.exe Note: [COMPUTER NAME] is a remote computer name and [HOUR] represents the hour when propagation begins. 24. When the worm is executed on the 3rd day of every month, it will destroy all files with the following extensions by overwriting the file: *.doc *.xls *.mdb *.mde *.ppt *.pps *.zip *.rar *.psd *.dmp Note: The destroyed files have the following text: DATA Error [47 0F 94 93 F4 F5] Recovery: ----------- Symantec Security Response has developed a removal tool to clean the infections of W32.Blackmal.E@mm. Use this removal tool first, as it is the easiest way to remove this threat. If it does not work, you can use Symantec's manual removal instructions. Note: The threat targets AV products, so if any of the targeted files have been deleted, then the AV product may need to be reinstalled after using the removal tool. Protection: ------------ Symantec virus definitions dated 1/17/2006 or later will detect this worm. Instructions on how to update NAV definition files are located at: http://www.upenn.edu/computing/help/doc/virus/nav/winnavupdate.html Further information: ----------------------- For further information regarding W32.Blackmal.e see the following sites. http://www.symantec.com/avcenter/venc/data/w32.blackmal.e@mm.html http://www.f-secure.com/v-descs/nyxem_e.shtml http://vil.nai.com/vil/content/v_138027.htm http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_GREW.A http://www.sophos.com/virusinfo/analyses/w32nyxemd.html |
|
 |
|
|
 |
|
| Information Systems and ComputingUniversity of PennsylvaniaComments & Questions |
 |
|