W32/Chod.A
Analysis
W32/Chod.A infects a machine by creating a random-name folder in a Windows Sytem Folder.
e.g. C:\WinNT\System32\kyuhovqoqf
Then, this virus copies itself into this folder.
The virus then updates the registry by adding an entry with a name "Installed" and of value "1"
With this entry, the virus will know that it has infected the system.
The registry locations are the following
HKEY_CLASSES_ROOT\Chode
HKEY_CURRENT_USER\Software\Chode
HKEY_LOCAL_MACHINE\Software\Classes\Chode
Next, the virus loads the copied file in the Windows System Folder into memory.
The random-name folder contains two data files that the virus uses for storing information.
The data files are crss.dat and crss.ini, which stored information are encrypted.
And, then displays the message box shown above.
This virus updates the following registry entries:
auto-execute itself at Windows Startup
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
run=C:\WinNT\System32\<random-name folder>\csrss.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
csrss=C:\WinNT\System32\<random-name folder>\csrss.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
csrss=C:\WinNT\System32\<random-name folder>\csrss.exe
browser settings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
system policies
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Policies\System
NoAdminPage=1
DisableRegistryTools
This virus has traces of this url in its body - "http://nirsoft.mirrorz.com" and
"http://www.nirsoft.net/"
While the virus is loaded, it connects to an IRC Server, "Dalnet".
This joins the channel "ch0dewaffles."
Then transfers system information and listen for instructions.
It serves as a backdoor in the infected system.
This virus has the capabilities to do following seen from its encrypted body.
propagates via email
Get email addresses from files with following extensions:
- .dhtm
- .cgi
- .shtm
- .msg
- .oft
- .sht
- .dbx
- .tbb
- .adb
- .doc
- .wab
- .asp
- .uin
- .rtf
- .vbs
- .html
- .htm
- .pl
- .php
- .txt
- .eml
- .xml
- .ctt
- .sql
- .gov
- .mil
- abuse
- fbi
- norton
- messagelabs
- bitdefender
- f-secure
- avp
- spam
- symantec
- antivirus
- microsoft
- securityresponse@symantec.com
- security@microsoft.com
- security@trendmicro.com
- Your computer may have been infected
- Warning - you have been infected!
Your message was undeliverable due to the following reason(s): Your message could not be delivered because the destination server was unreachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configuration parameters. Most likely there is a network problem that prevented delivery, but it is also possible that the computer is turned off, or does not have a mail system running right now. Your original message has been attached. |
The Attachment of the email can be any of the following:
- netsky_removal.exe
- removal_tool.exe
- message.pif
- message.scr
The message can be any of the following:
- lol check this out, it freaked me out :S
- LOL! look at this, I can't explain it in words...
- omg check this out, it's just wrong :O
- ROFL!! you have to see this... wtf...
- you have to see this, it's amazing!
- holy shit you have to see this... :|
- I just found this on a CD... you won't believe it! :|
- dude check this out, it's awesome! :D
- some random chick just sent me her picture, check it out ;)
- haha you have to see this, I almost couldn't believe it! :O
- naked lesbian twister.exe
- naked lesbian twister.scr
- paris hilton.exe
- paris hilton.scr
- us together.exe
- us together.scr
- picture.exe
- picture.scr
- gross.exe
- gross.scr
- mypic.exe
- mypic.scr
- awesome.exe
- awesome.scr
- avp.com
- www.avp.com
- ca.com
- dispatch.mcafee.com
- download.mcafee.com
- f-secure.com
- fastclick.net
- ftp.f-secure.com
- ftp.sophos.com
- liveupdate.symantec.com
- customer.symantec.com
- rads.mcafee.com
- mast.mcafee.com
- mcafee.com
- my-etrust.com
- nai.com
- networkassociates.com
- secure.nai.com
- securityresponse.symantec.com
- service1.symantec.com
- sophos.com
- support.microsoft.com
- symantec.com
- update.symantec.com
- updates.symantec.com
- us.mcafee.com
- vil.nai.com
- viruslist.com
- www.viruslist.com
- www.awaps.net
- www.ca.com
- www.f-secure.com
- www.fastclick.net
- www.mcafee.com
- www.microsoft.com
- www.my-etrust.com
- www.nai.com
- www.networkassociates.com
- www.sophos.com
- www.symantec.com
- www3.ca.com
- www.grisoft.com
- grisoft.com
- housecall.trendmicro.com
- trendmicro.com
- www.trendmicro.com
- www.pandasoftware.com
- pandasoftware.com
- kaspersky.com
- www.kaspersky.com
- www.zonelabs.com
- zonelabs.com
- phpbb.com
- www.phpbb.com
- www.spywareinfo.com
- spywareinfo.com
- www.merijn.org
- merijn.org
- Symantec NetDriver Monitor
- Outpost Firewall
- gcasServ
- KAVPersonal50
- Zone Labs Client
- services
- microsoft antispyware*
- hijackthis*
- msconfig.exe
- kav.exe
- kavsvc.exe
- mcvsshld.exe
- mcagent.exe
- mcshield.exe
- mcvsftsn.exe
- mcdash.exe
- mcvsescn.exe
- mcinfo.exe
- mpfagent.exe
- mpftray.exe
- mpfservice.exe
- mskagent.exe
- mcmnhdlr.exe
- sndsrvc.exe
- usrprmpt.exe
- ccapp.exe
- ccevtmgr.exe
- spbbcsvc.exe
- ccsetmgr.exe
- symlcsvc.exe
- npfmntor.exe
- navapsvc.exe
- issvc.exe
- ccproxy.exe
- navapw32.exe
- navw32.exe
- smc.exe
- outpost.exe
- zlclient.exe
- vsmon.exe
- isafe.exe
- pandaavengine.exe
- msblast.exe
- penis32.exe
- teekids.exe
- bbeagle.exe
- d3dupdate.exe
- sysmonxp.exe
- i11r54n4.exe
- irun4.exe
- mscvb32.exe
- sysinfo.exe
- mwincfg32.exe
- wincfg32.exe
- winsys.exe
- zapro.exe
- winupd.exe
- enterprise.exe
- regedit.exe
- hijackthis.exe
- gcasdtserv.exe
- gcasserv.exe
- GAIM
- ICQ Lite/2003
- Miranda
- Trillian
- AOL Instant Messenger
- jabber
- MSN Messenger
- Yahoo Messenger
- ipconfig /flushdns --> for purging the DNS Resolver cache.
- netsh.exe firewall set opmode mode=disable profile=all --> Sets firewall operational configuration.
- pspv.exe /stab --> "Protected Storage Pass View"
- mspass.exe /stab --> "MessenPass"
Recommended Action
Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option