W32.Imaut.BH

When the worm executes, it creates the following files:

• %System%\SVICHOOST.exe
• %Windir%\SVICHOOST.exe

Next, the worm creates the following registry entries so that it executes whenever Windows starts:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "Explorer.exe SVICHOOST.exe"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Yahoo Messengger" = "%System%\SVICHOOST.exe"

The worm modifies the following registry entries to disable the registry editor and Windows Task Manager:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\"DisableTaskMgr" = "1"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\"DisableRegistryTools" = "1"

It also modifies the following registry entries:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NofolderOptions" = "1"
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\"AtTaskMaxHours" = "0"

The worm then deletes the following registry subkeys:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BkavFw
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\IEProtection

Next, the worm contacts the following site to download a configuration file:
[http://]gaig0isaigon.t35.com

It saves the above file to the following location:
%System%\setting.ini

The worm searches for an open Yahoo! Instant Messenger window and sends the following messages chosen at random:

• E may, vao day coi co con nho nay ngon lam
• Vao day nghe bai nay di ban
• Vao day nghe bai nay di ban
• Biet tin gi chua, vao day coi di
• Trang Web nay coi cung hay, vao coi thu di
• Toi di lang thang lan trong bong toi buot gia, ve dau khi da mat em roi? Ve dau khi bao nhieu mo mong gio da vo tan... Ve dau toi biet di ve dau?
• Khoc cho nho thuong voi trong long, khoc cho noi sau nhe nhu khong. Bao nhieu yeu thuong nhung ngay qua da tan theo khoi may bay that xa...
• Tha nguoi dung noi se yeu minh toi mai thoi thi gio day toi se vui hon. Gio nguoi lac loi buoc chan ve noi xa xoi, cay dang chi rieng minh toi...
• Loi em noi cho tinh chung ta, nhu doan cuoi trong cuon phim buon. Nguoi da den nhu la giac mo roi ra di cho anh bat ngo...
• Tra lai em niem vui khi duoc gan ben em, tra lai em loi yeu thuong em dem, tra lai em niem tin thang nam qua ta dap xay. Gio day chi la nhung ky niem buon...

The above messages also contain the following link:
[http://]nhatquanglan1.0catch.com

Next, the worm attempts to close any windows containing the following strings, if they exist:

• Bkav2006
• System Configuration
• Registry
• Windows Task

It then attempts to end the following processes:

• cmd.exe
• game_y.exe

The worm attempts to shut down the computer if the following window exists:
FireLion

The worm then searchs for removable drives attached to the computer and attempts to copy itself as the following file:
%DriveLetter%\New Folder.exe

Next, the worm searches for the following registry subkey for shares to copy itself to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares

If a share is found it copies itself to the following location:
%CurrentFolder%\New Folder.exe

It also copies itself as the following file:
%CurrentFolder%.exe

For example, if the folder %CurrentFolder%\Exa\mple exists, the worm creates the following file:
%CurrentFolder%\Exa\mple\mple.exe

The worm sets a command to execute the following file every day at 9:00 AM:
%System%\SVICHOOST.exe

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

• Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
• Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
• Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
• Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
• Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
• Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
• If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
• Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
• Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
• Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
• If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
• For further information on the terms used in this document, please refer to the Security Response glossary.

Summary