W32/Tanked!worm.p2p
Analysis
- Virus is 32bit with a compressed size of at least 102,175 bytes - virus may exist in bloated file sizes where infectious files are padded with hex 0
- This virus is a variant of the Tanked family - the
initial variants are reportedly close to 20Kb in size
- If virus is run, the virus will copy itself to
the undefinedWindowsundefined\System folder as "winsys.exe"
- Next, it will modify the registry by first adding
the following keys -
HKEY_LOCAL_MACHINE\Software\Krypton
HKEY_LOCAL_MACHINE\Software\Krypton\(path where virus was initially run from)
HKEY_LOCAL_MACHINE\Software\Krypton\(undefinedWindowsundefined\System path)-winsys.exe
- The virus will then modify the registry to load
the virus at next Windows startup, and also modify
other keys for use with the virus -
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce\
"WinSys" = winsys.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
"WinSys" = winsys.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\
"WinSys" = winsys.exe HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
"Explorer" = Explorer.exe undefinedSystem32undefined\winsys.exeHKEY_LOCAL_MACHINE\Software\Krypton\(path where virus was initially run from)
"K-Key" = (hex value)
HKEY_LOCAL_MACHINE\Software\Krypton\(undefinedWindowsundefined\System path)-winsys.exe
"K-Key" = (hex value)
-
The virus will modify the location of the shared folder for the peer-to-peer file sharing application Kazaa - the new download and shared folder will be undefinedWindowsundefined\user32
-
The virus may also copy itself to new shared folder as several different file names in an effort to make itself available under possibly popular file search conditions - the files created will be of sizes ranging from 102Kb to in excess of 1Mb in an effort to conceal the validity of itself - below are the names of files created -
c:\WINNT\User32\ACDSee 5.5.exe
c:\WINNT\User32\Ad-aware 6.5.exe
c:\WINNT\User32\Age of Empires 2 crack.exe
c:\WINNT\User32\Anno 1503_crack.exe
c:\WINNT\User32\AquaNox2 Crack.exe
c:\WINNT\User32\Battlefield1942_bloodpatch.exe
c:\WINNT\User32\Battlefield1942_keygen.exe
c:\WINNT\User32\C&C Generals_crack.exe
c:\WINNT\User32\C&C Renegade_crack.exe
c:\WINNT\User32\Diablo 2 Crack.exe
c:\WINNT\User32\DirectDVD 5.0.exe
c:\WINNT\User32\DivX Video Bundle 6.5.exe
c:\WINNT\User32\FIFA2003 crack.exe
c:\WINNT\User32\Flash MX crack (trial).exe
c:\WINNT\User32\Global DiVX Player 3.0.exe
c:\WINNT\User32\Gothic 2 licence.exe
c:\WINNT\User32\GTA 3 Crack.exe
c:\WINNT\User32\GTA 3 patch (no cd).exe
c:\WINNT\User32\Hitman_2_no_cd_crack.exe
c:\WINNT\User32\ICQ Lite (new).exe
c:\WINNT\User32\iMesh 3.6.exe
c:\WINNT\User32\iMesh 3.7b (beta).exe
c:\WINNT\User32\KaZaA Hack 2.5.0.exe
c:\WINNT\User32\KaZaA Lite (New).exe
c:\WINNT\User32\Mafia_crack.exe
c:\WINNT\User32\MediaPlayer Update.exe
c:\WINNT\User32\NBA2003_crack.exe
c:\WINNT\User32\Neverwinter_Nights_licence.exe
c:\WINNT\User32\NHL 2003 crack.exe
c:\WINNT\User32\QuickTime_Pro_Crack.exe
c:\WINNT\User32\SmartFTP 2.0.0.exe
c:\WINNT\User32\Splinter_Cell_Crack.exe
c:\WINNT\User32\Unreal2_bloodpatch.exe
c:\WINNT\User32\UT2003_bloodpatch.exe
c:\WINNT\User32\UT2003_keygen.exe
c:\WINNT\User32\UT2003_no cd (crack).exe
c:\WINNT\User32\UT2003_patch.exe
c:\WINNT\User32\WarCraft_3_crack.exe
c:\WINNT\User32\Winamp 3.8.exe
c:\WINNT\User32\WinZip 9.0b.exe
-
The virus will launch the file "winsys.exe" and it will attempt to connect to the Internet on TCP port 30201 awaiting commands from a hacker or group of hackers
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |