Virus

W32/Chod.A

Analysis

W32/Chod.A infects a machine by creating a random-name folder in a Windows Sytem Folder.
   e.g. C:\WinNT\System32\kyuhovqoqf
Then, this virus copies itself into this folder. The virus then updates the registry by adding an entry with a name "Installed" and of value "1" With this entry, the virus will know that it has infected the system. The registry locations are the following
   HKEY_CLASSES_ROOT\Chode
   HKEY_CURRENT_USER\Software\Chode
   HKEY_LOCAL_MACHINE\Software\Classes\Chode
Next, the virus loads the copied file in the Windows System Folder into memory. The random-name folder contains two data files that the virus uses for storing information. The data files are crss.dat and crss.ini, which stored information are encrypted. And, then displays the message box shown above.
This virus updates the following registry entries:
auto-execute itself at Windows Startup
   HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
      run=C:\WinNT\System32\<random-name folder>\csrss.exe
   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
      csrss=C:\WinNT\System32\<random-name folder>\csrss.exe
   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
      csrss=C:\WinNT\System32\<random-name folder>\csrss.exe
browser settings
   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
system policies
   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Policies\System
      NoAdminPage=1
      DisableRegistryTools
This virus has traces of this url in its body - "http://nirsoft.mirrorz.com" and "http://www.nirsoft.net/"
While the virus is loaded, it connects to an IRC Server, "Dalnet". This joins the channel "ch0dewaffles." Then transfers system information and listen for instructions. It serves as a backdoor in the infected system.
This virus has the capabilities to do following seen from its encrypted body.
propagates via email
Get email addresses from files with following extensions:

  • .dhtm
  • .cgi
  • .shtm
  • .msg
  • .oft
  • .sht
  • .dbx
  • .tbb
  • .adb
  • .doc
  • .wab
  • .asp
  • .uin
  • .rtf
  • .vbs
  • .html
  • .htm
  • .pl
  • .php
  • .txt
  • .eml
  • .xml
  • .ctt
  • .sql
It excludes addreses that has the following strings in it:
  • .gov
  • .mil
  • abuse
  • fbi
  • norton
  • messagelabs
  • bitdefender
  • f-secure
  • avp
  • spam
  • symantec
  • antivirus
  • microsoft
The From field of the email can be any of the following:
  • securityresponse@symantec.com
  • security@microsoft.com
  • security@trendmicro.com
The Subject of the email can be any of the following:
  • Your computer may have been infected
  • Warning - you have been infected!
The Body of the email can be any of the folllowing:
Your message was undeliverable due to the following reason(s):
Your message could not be delivered because the destination server was unreachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configuration parameters. Most likely there is a network problem that prevented delivery, but it is also possible that the computer is turned off, or does not have a mail system running right now.
Your original message has been attached.

The Attachment of the email can be any of the following:
  • netsky_removal.exe
  • removal_tool.exe
  • message.pif
  • message.scr
propagates via MSN
The message can be any of the following:
  • lol check this out, it freaked me out :S
  • LOL! look at this, I can't explain it in words...
  • omg check this out, it's just wrong :O
  • ROFL!! you have to see this... wtf...
  • you have to see this, it's amazing!
  • holy shit you have to see this... :|
  • I just found this on a CD... you won't believe it! :|
  • dude check this out, it's awesome! :D
  • some random chick just sent me her picture, check it out ;)
  • haha you have to see this, I almost couldn't believe it! :O
Then, send a file that can be any of the following:
  • naked lesbian twister.exe
  • naked lesbian twister.scr
  • paris hilton.exe
  • paris hilton.scr
  • us together.exe
  • us together.scr
  • picture.exe
  • picture.scr
  • gross.exe
  • gross.scr
  • mypic.exe
  • mypic.scr
  • awesome.exe
  • awesome.scr
updates HOSTS file (to block the user from browsing the following sites):
  • avp.com
  • www.avp.com
  • ca.com
  • dispatch.mcafee.com
  • download.mcafee.com
  • f-secure.com
  • fastclick.net
  • ftp.f-secure.com
  • ftp.sophos.com
  • liveupdate.symantec.com
  • customer.symantec.com
  • rads.mcafee.com
  • mast.mcafee.com
  • mcafee.com
  • my-etrust.com
  • nai.com
  • networkassociates.com
  • secure.nai.com
  • securityresponse.symantec.com
  • service1.symantec.com
  • sophos.com
  • support.microsoft.com
  • symantec.com
  • update.symantec.com
  • updates.symantec.com
  • us.mcafee.com
  • vil.nai.com
  • viruslist.com
  • www.viruslist.com
  • www.awaps.net
  • www.ca.com
  • www.f-secure.com
  • www.fastclick.net
  • www.mcafee.com
  • www.microsoft.com
  • www.my-etrust.com
  • www.nai.com
  • www.networkassociates.com
  • www.sophos.com
  • www.symantec.com
  • www3.ca.com
  • www.grisoft.com
  • grisoft.com
  • housecall.trendmicro.com
  • trendmicro.com
  • www.trendmicro.com
  • www.pandasoftware.com
  • pandasoftware.com
  • kaspersky.com
  • www.kaspersky.com
  • www.zonelabs.com
  • zonelabs.com
  • phpbb.com
  • www.phpbb.com
  • www.spywareinfo.com
  • spywareinfo.com
  • www.merijn.org
  • merijn.org
terminates the following services:
  • Symantec NetDriver Monitor
  • Outpost Firewall
  • gcasServ
  • KAVPersonal50
  • Zone Labs Client
  • services
  • microsoft antispyware*
  • hijackthis*
terminates the following loaded programs:
  • msconfig.exe
  • kav.exe
  • kavsvc.exe
  • mcvsshld.exe
  • mcagent.exe
  • mcshield.exe
  • mcvsftsn.exe
  • mcdash.exe
  • mcvsescn.exe
  • mcinfo.exe
  • mpfagent.exe
  • mpftray.exe
  • mpfservice.exe
  • mskagent.exe
  • mcmnhdlr.exe
  • sndsrvc.exe
  • usrprmpt.exe
  • ccapp.exe
  • ccevtmgr.exe
  • spbbcsvc.exe
  • ccsetmgr.exe
  • symlcsvc.exe
  • npfmntor.exe
  • navapsvc.exe
  • issvc.exe
  • ccproxy.exe
  • navapw32.exe
  • navw32.exe
  • smc.exe
  • outpost.exe
  • zlclient.exe
  • vsmon.exe
  • isafe.exe
  • pandaavengine.exe
  • msblast.exe
  • penis32.exe
  • teekids.exe
  • bbeagle.exe
  • d3dupdate.exe
  • sysmonxp.exe
  • i11r54n4.exe
  • irun4.exe
  • mscvb32.exe
  • sysinfo.exe
  • mwincfg32.exe
  • wincfg32.exe
  • winsys.exe
  • zapro.exe
  • winupd.exe
  • enterprise.exe
  • regedit.exe
  • hijackthis.exe
  • gcasdtserv.exe
  • gcasserv.exe
steals password from the following chat programs:
  • GAIM
  • ICQ Lite/2003
  • Miranda
  • Trillian
  • AOL Instant Messenger
  • jabber
  • MSN Messenger
  • Yahoo Messenger
executes the following command:
  • ipconfig /flushdns --> for purging the DNS Resolver cache.
  • netsh.exe firewall set opmode mode=disable profile=all --> Sets firewall operational configuration.
  • pspv.exe /stab --> "Protected Storage Pass View"
  • mspass.exe /stab --> "MessenPass"

Recommended Action

Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option