Alias/es

Detection Availability

Visible Symptoms

• The file windll2.exe  exists in the System folder.

Detailed Analysis

• Creates the following mutexes named 251204  which may prevent variants of W32/Netsky from executing:
  
  
  • MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
  • 'D'r'o'p'p'e'd'S'k'y'N'e't'
  • _-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
  • [SkyNet.cz]SystemsMutex
  • AdmSkynetJklS003
  • ____--->>>>U<<<<--____
  • _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
  
  
• Copies itself to the System folder as windll2.exe.
  
  
  Registry Modification
  
  
• Adds the following value to run itself at each Windows startup:

  erthegdr = "%System%\windll2.exe"

  to the following subkey:

  HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n

  Note: %System% refers to the System folder.
  
  
• Attempts to delete the following registry entries:

  • My AV
  • Zone Labs Client Ex
  • 9XHtProtect
  • Antivirus
  • Special Firewall Service
  • service
  • Tiny AV
  • ICQNet
  • HtProtect
  • Jammer2nd
  • FirewallSvr
  • MsInfo
  • SysMonXP
  • EasyAV
  • PandaAVEngine
  • Norton Antivirus AV
  • KasperskyAVEng
  • SkynetsRevenge
  • ICQ Net

  from the following subkeys:

  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n
  HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n

• If the date is later than September 22, 2009, it attempts to delete the following registry entries and exit:

  HKEY_CURRENT_USER\SOFTWARE\ewrt
  HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n, "erthegdr"

  
  Email Propagation
  
  
• Attempts to download files from the following URLs:
  
  
  • http://click[blocked]/images/web.php
  • http://amerikansk[blocked]/images/web.php
  • http://eventpeople[blocked]/help/web.php
  • http://fye[blocked]/lyra/web.php
  • http://ligapic[blocked]/images/web.php
  • http://eks[blocked]/images/web.php
  • http://direc[blocked]/images/web.php
  • http://creacionesartist[blocked]/bovedas/web.php
  
  The downloaded file is saved to the Windows folder as eml.exe. The virus harvests email addresses from this file and sends a copy of W32/Mitglieder.fam!tr to those addresses.
  
  
• Avoids sending emails to addresses that contain any of the strings in its specified list, which includes the following:
  
  
  • @derewrdgrs
  • @eerswqe
  • @messagelab
  • @microsoft
  • anyone@
  • certific
  • contract@
  • f-secur
  • free-av
  • gold-certs@
  • google
  • icrosoft
  • listserv
  • nobody@
  • noone@
  • noreply
  • postmaster@
  • rating@
  • samples
  • support
  
  
• The email has the following format:
  
  Message Body: one of the following:
  
  
  • price
  • new price
  • The password is
  • Password:
  
  Attachment: one of the following:
  
  
  • price.zip
  • price2.zip
  • price_new.zip
  • price_09.zip
  • 09_price.zip
  • newprice.zip
  • new_price.zip
  • new__price.zip
  
  
  Backdoor/Trojan Behavior
  
  
• Attempts to terminate the following processes:
  
  
  • 1t1epad.exe
  • t1es1t.exe
  
  
• Attempts to download files from the following URLs:
  
  
  • http://localhost/[blocked]ss.php
  • http://localhost/[blocked]2.php
  • http://localhost/[blocked]3.php
  
  The downloaded file is saved in the System folder as re_file.exe. It then executes this file.
  
  
• Opens a backdoor on TCP port 80, which may allow the compromised computer to act as a proxy server.

Recommended Action

FortiGate systems:


• Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.