W32/Grew.A!worm

Visible Symptoms

• Possible firewall alert that these files are attempting to connect with the Internet using UDP -
  
  scanregw.exe
  Update.exe
  Winzip.exe
  
  
• Compromised systems are slow to respond due to heavy outbound traffic on TCP port 445 with other machines
  
  
• Creation of these files on the infected system [note, the System32 folder may be in a different path depending on the version of Windows and user preferences] - the files will be hidden with read-only and system attributes -
  
  C:\WINNT\Rundll16.exe
  C:\WINNT\system32\scanregw.exe
  C:\WINNT\system32\Update.exe
  C:\WINNT\system32\Winzip.exe
  
  
• Virus has a file icon identical to Winzip32 application executable, and a file size of 95,690 bytes
  
  
• Opening a viral attachment to email will display an empty ZIP similar to this one -
  
  
  
  
• Data and archive files are reduced to 32 bytes from their original size

Detailed Analysis

This virus is packed with a file size of 95,690 bytes. It contains code to spread to other systems using these methods -

• SMTP email
  
  
• copy to shared folders across networked systems
  
  
• Active Desktop "desktop.htt" modification

The virus also has the following characteristics -

• can trick users that trust file icons into running it based on it's file icon resembling the Winzip32 executable -- this technique prays upon users and systems with the default configuration of "do not display file extensions for known file types"
  
  
• deletes files of Antivirus product installations
  
  
• deletes data files after restarting an infected system
  
  
• could prevent security programs from launching at system startup
  
  
• creates numerous registry entries

Loading at Windows startup
If the threat is run manually, it will copy itself to the local system in several places -

C:\WinZip_Tmp.exe
C:\WINNT\Rundll16.exe
C:\WINNT\system32\scanregw.exe
C:\WINNT\system32\Update.exe
C:\WINNT\system32\Winzip.exe

The virus also extracts an ActiveX control to help with Internet connectivity -

C:\WINNT\system32\MSWINSCK.OCX (55,808 bytes)

The virus will register itself to load at Windows startup -

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"ScanRegistry" = scanregw.exe /scan

SMTP mass-mailing routine
The virus uses built-in SMTP mailing routines in order for the virus to send itself to other email addresses. The virus will first harvest addresses from certain file types to create a list of potential targets, avoiding addresses containing certain texts.

The virus will try to collect usable email addresses from files having these extensions -

.HTM
.DBX
.EML
.MSG
.OFT
.NWS
.VCF
.MBX
.IMH
.TXT
.MSF

The captured addresses are used as targets for the mailing routine. As with other viruses using this technique, the virus will avoid selecting email addresses containing certain strings, such as these -

KASPER TRUST BLOCKSENDER SCRIBE YAHOOGROUPS TREND PANDA SECUR SPAM ANTI CILLIN

CA.COM AVG GROUPS.MSN NOMAIL.YAHOO.COM EEYE MICROSOFT HOTMAIL MSN MYWAY @HOTMAIL @HOTPOP

These are some of the possible file names used for the infectious attachment -

Clipe,zip .sCr WinZip,zip .scR 04.pif Adults_9,zip .sCR Sweet_09 Photos,zip .sCR Photos 007.pif School.pif photo.pif Arab sex DSC-00465.jpg DSC-00465.Pif image04.pif 677.pif Attachments[001],B64 .sCr Attachments[001].B64 392315089702606E-02,UUE .scR 3.92315089702606E02.UUE SeX,zip .scR SeX.mim

Sex.mim ATT01.zip .sCR Original Message.B64 WinZip.BHX eBook.Uu Word.zip .sCR Word_Document.hqx Word XP.zip .sCR Word_Document.uu DSC-00465.pIf New_Document_file.pif eBook.pdf eBook.PIF document.pif New Video,zip .sCr Video_part.mim Attachments,zip .SCR Attachments00.HQX Atta[001],zip .SCR Attachments001.BHX WinZip.zip .sCR

The email attachment may have one of these secondary extensions -

.PIF
.EXE
.MIM
.HQX
.BHx
.UUE
.SCR

Additional properties of the email; the attachment may have one of the following message header identifiers:

application/x-msdownload;
application/x-iphone;
application/x-compress;
application/mac-binhex40;
application/pkix-crl;
application/x-director;
application/x-cdf;
application/x-gzip;

The virus may use any of the following strings to compose the email message subject line and body text -

Part 1 of 6 Video clipe
Note: forwarded message attached.
begin 664
You Must View This Videoclip!
Miss Lebanon 2006
>> forwarded message
Miss
Re: Sex Video
----- forwarded message -----
My photos
i just any one see my photos.
It's Free :)
Photos
The Best Videoclip Ever
School girl fantasies gone bad
Hot XXX Yahoo Groups
A Great Video
F**kin Kama Sutra pics
ready to be F**KED ;)
give me a kiss
forwarded message attached.
*Hot Movie*
VIDEOS! FREE! (US$ 0,00)
Fw: Picturs
Fw: Funny :)
Fwd: Photo
Fwd: image.jpg
Fw: Sexy
Fw: Real show
Fwd: Crazy illegal Sex!
What?
i send the file.
Hello
i attached the details.
Thank you
the file
i send the details
bye
Word file
hello,
Fw: DSC-00465.jpg
Please see the file.
how are you?
i send the details.

Network spreading routine
The virus will attempt to copy itself to systems across a network into the following share points -

Admin$\WINZIP_TMP.exe
c$\WINZIP_TMP.exe
c$\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.exe

The virus may delete the following file from the share location -

c$\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk

in order to prevent the pre-existing link file from referencing the non-infectious and actual WinZip32 executable

File Deletion Payload [1]
The virus will attempt to connect to networked computers using the logon name "Administrator". Then the virus will try to delete files associated with Antivirus software installations both locally, and across networked systems. The virus will try to delete from the following local paths and networked systems in shared hard drives -

[Networked systems]
C$\Program Files\Norton AntiVirus
C$\Program Files\Common Files\symantec shared
C$\Program Files\Symantec\LiveUpdate
C$\Program Files\McAfee.com\VSO
C$\Program Files\McAfee.com\Agent
C$\Program Files\McAfee.com\shared
C$\Program Files\Trend Micro\PC-cillin 2002
C$\Program Files\Trend Micro\PC-cillin 2003
C$\Program Files\Trend Micro\Internet Security
C$\Program Files\NavNT
C$\Program Files\Panda Software\Panda Antivirus Platinum
C$\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal
C$\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro
C$\Program Files\Panda Software\Panda Antivirus 6.0
C$\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus

[Local]
\Program Files\Symantec\LiveUpdate\*.*
\Program Files\Symantec\Common Files\Symantec Shared\*.*
\Program Files\Norton AntiVirus\*.exe
\Program Files\Alwil Software\Avast4\*.exe
\Program Files\McAfee.com\VSO\*.exe
\Program Files\McAfee.com\Agent\*.*
\Program Files\McAfee.com\shared\*.*
\Program Files\Trend Micro\PC-cillin 2002\*.exe
\Program Files\Trend Micro\PC-cillin 2003\*.exe
\Program Files\Trend Micro\Internet Security\*.exe
\Program Files\NavNT\*.exe
\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\*.ppl
\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\*.exe
\Program Files\Grisoft\AVG7\*.dll
\Program Files\TREND MICRO\OfficeScan\*.dll
\Program Files\Trend Micro\OfficeScan Client\*.exe
\Program Files\HyperTechnologies\Deep Freeze\*.exe

Additionally, the virus will attempt to damage P2P application installations by deleting .DLL component files from various local folders -

\Program Files\DAP\*.dll
\Program Files\BearShare\*.dll
\Program Files\Morpheus\*.dll
\Program Files\LimeWire\LimeWire 4.2.6\LimeWire.jar

File Deletion Payload [2]
This virus will alter data files and archive files after restarting an infected system on the 3rd day of any month. The system also must be on at least 30 minutes or longer for this payload to occur. The payload searches the entire hard drive for files having these extensions -

.doc .xls .mdb .mde .ppt .pps

.zip .rar .pdf .psd .dmp

For every file found, the virus will replace the content of the file with the following string which equates to 32 bytes -

DATA Error [47 0F 94 93 F4 K5]

Files which are essentially overwritten with this data require recovery from backup copy.

Application Startup Blocking Routine
This virus may remove registry keys that match the following list of strings - most of these are related to Antivirus software applications -

APVXDWIN avast! AVG_CC AVG7_CC AVG7_EMC AVG7_Run Avgserv9.exe AVGW ccApp CleanUp defwatch DownloadAccelerator kaspersky KAVPersonal50 McAfeeVirusScanService MCAgentExe McRegWiz MCUpdateExe McVsRte MPFExe MSKAGENTEXE

MSKDetectorExe NAV AgentNPROTECT OfficeScanNT Monitor PCCClient.exe pccguide.exe PCCIOMON.exe PCClient.exe PccPfw Pop3trap.exe rtvscn95 ScanInicio ScriptBlocking SSDPSRV TM Outbreak Agent tmproxy Vet Alert VetTray VirusScan Online vptray VSOCheckTask

By removing the registry keys, the application referenced in the key fails to load at System startup.

Additional Registry Changes
The virus is coded to register the dropped ActiveX control through changes to the system registry. By creating the following registry entries, the control is considered "safe" and digitally signed -

HKEY_CLASSES_ROOT\Licenses "(Default)" = Licensing: Copying the keys may be a violation of established copyrights. HKEY_CLASSES_ROOT\Licenses\096EFC40-6ABF-11cf-850C-08002B30345D "(Default)" = knsgigmnmngnmnigthmgpninrmumhgkgrlrk HKEY_CLASSES_ROOT\Licenses\190B7910-992A-11cf-8AFA-00AA00C00905 "(Default)" = gclclcejjcmjdcccoikjlcecoioijjcjnhng HKEY_CLASSES_ROOT\Licenses\2c49f800-c2dd-11cf-9ad6-0080c7e7b78d "(Default)" = mlrljgrlhltlngjlthrligklpkrhllglqlrk HKEY_CLASSES_ROOT\Licenses\4250E830-6AC2-11cf-8ADB-00AA00C00905 "(Default)" = kjljvjjjoquqmjjjvpqqkqmqykypoqjquoun HKEY_CLASSES_ROOT\Licenses\4D553650-6ABE-11cf-8ADB-00AA00C00905 "(Default)" = gfjmrfkfifkmkfffrlmmgmhmnlulkmfmqkqj HKEY_CLASSES_ROOT\Licenses\556C75F1-EFBC-11CF-B9F3-00A0247033C4 "(Default)" = xybiedobrqsprbijaegcbislrsiucfjdhisl HKEY_CLASSES_ROOT\Licenses\57CBF9E0-6AA7-11cf-8ADB-00AA00C00905 "(Default)" = aahakhchghkhfhaamghhbhbhkbpgfhahlfle HKEY_CLASSES_ROOT\Licenses\5f54e750-ce26-11cf-8e43-00a0c911005a "(Default)" = mnlnnimimnoiuilnvjkinnkitjwjnimntntm HKEY_CLASSES_ROOT\Licenses\6FB38640-6AC7-11cf-8ADB-00AA00C00905 "(Default)" = gdjkokgdldikhdddpjkkekgknesjikdkoioh HKEY_CLASSES_ROOT\Licenses\72E67120-5959-11cf-91F6-C2863C385E30 "(Default)" = ibcbbbebqbdbciebmcobmbhifcmciibblgmf HKEY_CLASSES_ROOT\Licenses\78E1BDD1-9941-11cf-9756-00AA00C00908 "(Default)" = yjrjvqkjlqqjnqkjvprqsjnjvkuknjpjtoun HKEY_CLASSES_ROOT\Licenses\7C35CA30-D112-11cf-8E72-00A0C90F26F8 "(Default)" = whmhmhohmhiorhkouimhihihwiwinhlosmsl HKEY_CLASSES_ROOT\Licenses\899B3E80-6AC6-11cf-8ADB-00AA00C00905 "(Default)" = wjsjjjlqmjpjrjjjvpqqkqmqukypoqjquoun HKEY_CLASSES_ROOT\Licenses\9E799BF1-8817-11cf-958F-0020AFC28C3B "(Default)" = uqpqnqkjujkjjjjqwktjrjkjtkupsjnjtoun HKEY_CLASSES_ROOT\Licenses\B1EFCCF0-6AC1-11cf-8ADB-00AA00C00905 "(Default)" = qqkjvqpqmqjjpqjjvpqqkqmqvkypoqjquoun HKEY_CLASSES_ROOT\Licenses\BC96F860-9928-11cf-8AFA-00AA00C00905 "(Default)" = mmimfflflmqmlfffrlnmofhfkgrlmmfmqkqj HKEY_CLASSES_ROOT\Licenses\E32E2733-1BC5-11d0-B8C3-00A0C90DCA10 "(Default)" = kmhfimlflmmfpffmsgfmhmimngtghmoflhsg

The virus also makes other changes such as the following -

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
"ShowSuperHidden" = 00, 00, 00, 00

HTT File Modification
The virus will modify the Desktop.htt configuration file which controls how Active Desktop is displayed to user systems. The change is to launch a copy of the virus as C:\WinZip_Tmp.exe whenever Windows loads the Active Desktop (Windows start up). The virus appends JavaScript code to this file -

C:\Documents and Settings\{user}\Application Data\Microsoft\Internet Explorer\Desktop.htt

The code uses an ActiveX control to reference the file "WinZip_Tmp.exe". Additionally, the virus will modify the "desktop.ini" configuration file to point to an infectious "Temp.htt" HTML file to launch the virus.